Samsung iES4024GP Management Manual Download Page 135 | Manualshive

Page: 135 / 712

background image

User Authentication

3-79

3

•

Private Password

– Password stored in the private key file. This password is used

to verify authorization for certificate use, and is verified when downloading the
certificate to the switch.

Web

– Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private

file name details, then click Copy Certificate.

Figure 3-47 HTTPS Settings

CLI

– This example copies the certificate file from the designated TFTP server.

Note:

The switch must be reset for the new certificate to be activated. To reset the
switch, See “Resetting the System” on page 3-34 or type:

Console#reload

Configuring the Secure Shell

The Berkeley-standard includes remote access tools originally designed for Unix
systems. Some of these tools have also been implemented for Microsoft Windows
and other environments. These tools, including commands such as

rlogin

(remote

login),

rsh

(remote shell), and

rcp

(remote copy), are not secure from hostile attacks.

The Secure Shell (SSH) includes server/client applications intended as a secure
replacement for the older Berkeley remote access tools. SSH can also provide
remote management access to this switch as a secure replacement for Telnet.
When the client contacts the switch via the SSH protocol, the switch generates a
public-key that the client uses along with a local user name and password for access
authentication. SSH also encrypts all data transfers passing between the switch and
SSH-enabled management station clients, and ensures that data traveling over the
network arrives unaltered.

Console#copy tftp https-certificate

TFTP server ip address: <

server ip-address

>

Source certificate file name: <

certificate file name

>

Source private file name: <

private key file name

>

Private password: <

password for private key

>

«
...
133
134
135
136
137
...
»

Summary of Contents for iES4024GP

Page 1: ...iES4028F 4028FP 4024GP ...

Page 2: ...iES4028F iES4028FP iES4024GP E082008 ST R03 149100041800A 149100040200A 149100041700A 149100000020A ...

Page 3: ... are associated This manual should be read before the installation and operation and the operator should correctly install and operate the product by using this manual This manual should be read before the installation and operation and the operator should correctly install and operate the product by using this manual This manual may be changed for the system improvement standardization and other ...

Page 4: ...iv This page is intentionally left blank ...

Page 5: ... personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related characteristics and how to install the switch The Installation Manual Also as part of the switch s software there is an online web based help that describes all management related features Revision History This section summarizes the changes in ...

Page 6: ...stem Files on page 2 8 Saving Configuration Settings on page 2 9 Configuring Power over Ethernet on page 2 10 VLAN Learning under Displaying Bridge Extension Capabilities on page 3 16 Removal of default IP address under Setting the Switch s IP Address on page 3 17 Change to jumbo frame size under Enabling Jumbo Frames on page 3 20 Managing Firmware on page 3 21 Command Usage and Command Attributes...

Page 7: ... Tunnel Status Command Attribute under Enabling QinQ Tunneling on the Switch on page 3 204 Traffic Segmentation on page 3 206 Removed Isolated VLAN option from Private VLANs on page 3 209 Introduction and Command Usage under Protocol VLANs on page 3 214 Command Usage under Configuring the Protocol VLAN System on page 3 216 Field Attributes under Displaying LLDP Local Device Information on page 3 2...

Page 8: ...Introduction under Network Access MAC Address Authentication on page 4 150 Removed network access dynamic qos network access link detection network access link detection link down network access link detection link up and network access link detection link up down commands from Network Access MAC Address Authentication on page 4 150 Removed web auth login fail page url web auth login page url and ...

Page 9: ...4 271 and related commands which had supported this option Removed switchport private vlan isolated command Command Usage under switchport voice vlan on page 4 282 Command Usage under queue mode on page 4 308 Removed queue bandwidth command Configuration guidelines under Quality of Service Commands on page 4 316 Introduction and Syntax for set on page 4 320 Command Usage under mvr Global Configura...

Page 10: ...x This page is intentionally left blank ...

Page 11: ...s for SNMP version 1 and 2c clients 2 7 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Managing System Files 2 8 Saving Configuration Settings 2 9 Configuring Power over Ethernet 2 10 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configurat...

Page 12: ...cess Strings 3 42 Specifying Trap Managers and Trap Types 3 43 Configuring SNMPv3 Management Access 3 46 Setting the Local Engine ID 3 46 Specifying a Remote Engine ID 3 47 Configuring SNMPv3 Users 3 48 Configuring Remote SNMPv3 Users 3 50 Configuring SNMPv3 Groups 3 52 Setting SNMPv3 Views 3 55 User Authentication 3 57 Configuring User Accounts 3 58 Configuring Local Remote Logon Authentication 3...

Page 13: ... 102 Configuring the MAC Authentication Reauthentication Time 3 103 Configuring MAC Authentication for Ports 3 104 Displaying Secure MAC Address Information 3 106 MAC Authentication 3 107 Configuring MAC authentication parameters for ports 3 107 Access Control Lists 3 108 Setting the ACL Name and Type 3 109 Configuring a Standard IP ACL 3 110 Configuring an Extended IP ACL 3 111 Configuring a MAC ...

Page 14: ...ort PoE Power 3 160 Address Table Settings 3 162 Setting Static Addresses 3 162 Displaying the Address Table 3 163 Changing the Aging Time 3 164 Spanning Tree Algorithm Configuration 3 165 Configuring Port and Trunk Loopback Detection 3 167 Displaying Global Settings 3 168 Configuring Global Settings 3 171 Displaying Interface Settings 3 175 Configuring Interface Settings 3 178 Configuring Multipl...

Page 15: ...tatistics 3 229 Class of Service Configuration 3 230 Layer 2 Queue Settings 3 231 Setting the Default Priority for Interfaces 3 231 Mapping CoS Values to Egress Queues 3 232 Selecting the Queue Mode 3 234 Setting the Service Weight for Traffic Classes 3 234 Layer 3 4 Priority Settings 3 235 Mapping Layer 3 4 Priorities to CoS Values 3 235 Enabling IP DSCP Priority 3 236 Mapping DSCP Priority 3 237...

Page 16: ...ettings for Clusters 3 273 Configuring Cluster Members 3 274 Displaying Information on Cluster Members 3 275 Displaying Information on Cluster Candidates 3 276 UPnP 3 277 UPnP Configuration 3 278 Chapter 4 Command Line Interface 4 1 Using the Command Line Interface 4 1 Accessing the CLI 4 1 Console Connection 4 1 Telnet Connection 4 2 Entering Commands 4 3 Keywords and Arguments 4 3 Minimum Abbrev...

Page 17: ... 4 22 banner configure ip lan 4 23 banner configure lp number 4 23 banner configure manager info 4 24 banner configure mux 4 25 banner configure note 4 25 show banner 4 26 System Status Commands 4 27 show startup config 4 27 show running config 4 29 show system 4 31 show users 4 31 show version 4 32 show memory 4 33 Frame Size Commands 4 33 jumbo frame 4 33 File Management Commands 4 34 copy 4 35 ...

Page 18: ...l 4 57 logging sendmail destination email 4 58 logging sendmail 4 58 show logging sendmail 4 58 Time Commands 4 59 sntp client 4 60 sntp server 4 61 sntp poll 4 61 show sntp 4 62 ntp client 4 62 ntp server 4 63 ntp poll 4 64 ntp authenticate 4 64 ntp authentication key 4 65 show ntp 4 66 clock timezone predefined 4 67 clock timezone 4 67 clock summer time date 4 68 clock summer time predefined 4 6...

Page 19: ...snmp server enable traps 4 92 snmp server engine id 4 93 show snmp engine id 4 94 snmp server view 4 94 show snmp view 4 95 snmp server group 4 96 show snmp group 4 97 snmp server user 4 98 show snmp user 4 99 Authentication Commands 4 100 User Account Commands 4 100 username 4 101 enable password 4 102 Authentication Sequence 4 103 authentication login 4 103 authentication enable 4 104 RADIUS Cli...

Page 20: ...n exec 4 122 show accounting 4 122 Web Server Commands 4 123 ip http port 4 123 ip http server 4 124 ip http secure server 4 124 ip http secure port 4 125 Telnet Server Commands 4 126 ip telnet server 4 126 Secure Shell Commands 4 127 ip ssh server 4 129 ip ssh timeout 4 130 ip ssh authentication retries 4 131 ip ssh server key size 4 131 delete public key 4 132 ip ssh crypto host key generate 4 1...

Page 21: ...5 mac authentication intrusion action 4 155 mac authentication max mac count 4 156 clear network access 4 156 show network access 4 157 show network access mac address table 4 158 Web Authentication 4 159 web auth login attempts 4 159 web auth quiet period 4 160 web auth session timeout 4 160 web auth system auth control 4 161 web auth 4 161 web auth re authenticate Port 4 162 web auth re authenti...

Page 22: ...3 permit deny MAC ACL 4 184 show mac access list 4 185 mac access group 4 186 show mac access group 4 186 ACL Information 4 187 show access list 4 187 show access group 4 187 Interface Commands 4 188 interface 4 188 description 4 189 speed duplex 4 189 negotiation 4 190 capabilities 4 191 flowcontrol 4 192 media type 4 193 giga phy mode 4 194 shutdown 4 195 switchport packet rate 4 195 clear count...

Page 23: ... mac address table 4 224 mac address table aging time 4 225 show mac address table aging time 4 225 Spanning Tree Commands 4 226 spanning tree 4 227 spanning tree mode 4 228 spanning tree forward time 4 229 spanning tree hello time 4 229 spanning tree max age 4 230 spanning tree priority 4 231 spanning tree system bpdu flooding 4 231 spanning tree pathcost method 4 232 spanning tree transmission l...

Page 24: ...imer 4 254 Editing VLAN Groups 4 254 vlan database 4 254 vlan 4 255 Configuring VLAN Interfaces 4 256 interface vlan 4 256 switchport mode 4 257 switchport acceptable frame types 4 258 switchport ingress filtering 4 258 switchport native vlan 4 259 switchport allowed vlan 4 260 switchport forbidden vlan 4 261 Displaying VLAN Information 4 262 show vlan 4 262 Configuring IEEE 802 1Q Tunneling 4 263...

Page 25: ... priority 4 284 show voice vlan 4 285 LLDP Commands 4 286 lldp 4 288 lldp holdtime multiplier 4 288 lldp medFastStartCount 4 289 lldp notification interval 4 289 lldp refresh interval 4 290 lldp reinit delay 4 290 lldp tx delay 4 291 lldp admin status 4 292 lldp notification 4 292 lldp mednotification 4 293 lldp basic tlv management ip address 4 294 lldp basic tlv port description 4 294 lldp basic...

Page 26: ... 4 315 Quality of Service Commands 4 316 class map 4 317 match 4 318 policy map 4 319 class 4 319 set 4 320 police 4 321 service policy 4 322 show class map 4 322 show policy map 4 323 show policy map interface 4 323 Multicast Filtering Commands 4 324 IGMP Snooping Commands 4 324 ip igmp snooping 4 326 ip igmp snooping vlan static 4 326 ip igmp snooping version 4 327 ip igmp snooping leave proxy 4...

Page 27: ... 340 show ip igmp profile 4 341 show ip igmp throttle interface 4 341 Multicast VLAN Registration Commands 4 342 mvr Global Configuration 4 342 mvr Interface Configuration 4 344 show mvr 4 345 IP Interface Commands 4 348 ip address 4 348 ip default gateway 4 349 ip dhcp restart 4 350 show ip interface 4 350 show ip redirects 4 351 ping 4 351 Appendix A Software Specifications A 1 Software Features...

Page 28: ...Contents xxviii This page is intentionally left blank ...

Page 29: ... Port ID Subtype 3 226 Table 3 18 Mapping CoS Values to Egress Queues 3 232 Table 3 19 CoS Priority Levels 3 232 Table 3 20 Mapping DSCP Priority Values 3 237 Table 4 1 Command Modes 4 6 Table 4 2 Configuration Modes 4 7 Table 4 3 Command Line Processing 4 8 Table 4 4 Command Groups 4 9 Table 4 5 General Commands 4 10 Table 4 6 System Management Commands 4 16 Table 4 7 Device Designation Commands ...

Page 30: ...lter Commands 4 146 Table 4 41 Client Security Commands 4 148 Table 4 42 Port Security Commands 4 149 Table 4 43 Network Access 4 150 Table 4 44 Web Authentication 4 159 Table 4 45 DHCP Snooping Commands 4 164 Table 4 46 IP Source Guard Commands 4 172 Table 4 47 Access Control Lists 4 176 Table 4 48 IP ACLs 4 176 Table 4 49 MAC ACL Commands 4 182 Table 4 50 ACL Information 4 187 Table 4 51 Interfa...

Page 31: ...e 4 79 LLDP Commands 4 286 Table 4 80 Priority Commands 4 308 Table 4 81 Priority Commands Layer 2 4 308 Table 4 82 Default CoS Values to Egress Queues 4 310 Table 4 83 Priority Commands Layer 3 and 4 4 313 Table 4 84 IP DSCP to CoS Vales 4 314 Table 4 85 Quality of Service Commands 4 316 Table 4 86 Multicast Filtering Commands 4 324 Table 4 87 IGMP Snooping Commands 4 324 Table 4 88 IGMP Query Co...

Page 32: ...Tables xxxii This page is intentionally left blank ...

Page 33: ...ation 3 36 Figure 3 21 NTP Client Configuration 3 38 Figure 3 22 Setting the System Clock 3 39 Figure 3 23 Enabling SNMP Agent Status 3 41 Figure 3 24 Configuring SNMP Community Strings 3 42 Figure 3 25 Configuring IP Trap Managers 3 45 Figure 3 26 Setting an Engine ID 3 46 Figure 3 27 Setting a Remote Engine ID 3 47 Figure 3 28 Configuring SNMPv3 Users 3 49 Figure 3 29 Configuring Remote SNMPv3 U...

Page 34: ...Figure 3 64 MAC Authentication Port Configuration 3 108 Figure 3 65 Selecting ACL Type 3 109 Figure 3 66 Configuring Standard IP ACLs 3 110 Figure 3 67 Configuring Extended IP ACLs 3 112 Figure 3 68 Configuring MAC ACLs 3 114 Figure 3 69 Configuring ACL Port Binding 3 115 Figure 3 70 DHCP Snooping Configuration 3 117 Figure 3 71 DHCP Snooping VLAN Configuration 3 118 Figure 3 72 DHCP Snooping Info...

Page 35: ...ure 3 106 Globally Enabling GVRP 3 190 Figure 3 107 Displaying Basic VLAN Information 3 191 Figure 3 108 Displaying Current VLANs 3 192 Figure 3 109 Configuring a VLAN Static List 3 194 Figure 3 110 Configuring a VLAN Static Table 3 196 Figure 3 111 VLAN Static Membership by Port 3 197 Figure 3 112 Configuring VLANs per Port 3 200 Figure 3 113 802 1Q Tunnel Status and Ethernet Type 3 204 Figure 3 ...

Page 36: ...st Router Port Information 3 257 Figure 3 146 Static Multicast Router Port Configuration 3 258 Figure 3 147 IP Multicast Registration Table 3 259 Figure 3 148 IGMP Member Port Table 3 260 Figure 3 149 Enabling IGMP Filtering and Throttling 3 261 Figure 3 150 IGMP Profile Configuration 3 262 Figure 3 151 IGMP Filter and Throttling Port Configuration 3 264 Figure 3 152 MVR Global Configuration 3 267...

Page 37: ... that enables DC power to be supplied to attached devices over the connecting Ethernet cable This guide describes device management for the Ubigate iES4028F iES4028FP and iES4024GP The only significant differences between these switches are listed in the following table Table 1 1 Differences in Switch Models Ubigate iES4028F Ubigate iES4028FP Ubigate iES4024GP Ports 24 Fast Ethernet 4 Gigabit Ethe...

Page 38: ...ntrol Port Trunking Supports up to 8 trunks using either static or dynamic trunking LACP Port Mirroring One or more ports mirrored to a single analysis port Congestion Control Rate Limiting Throttling for broadcast storms Static Addresses Up to 8K MAC addresses in the forwarding table IEEE 802 1D Bridge Supports dynamic data switching and addresses learning Store and Forward Switching Supported to...

Page 39: ...ntication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server i e RADIUS server This switch also supports authentication authorization and accounting AAA provides accounting and billing for IEEE 802 1X authenticated users that access the network and for users that access management inter...

Page 40: ...the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Broadcast Storm Control Broadcast suppression prevents broadcast traffic from overwhelming the network When enabled on a port the level of broadcast traffic passing through the port is restricted If broadcast traffic rises above a pre defined threshold it will be throttled until the level falls bac...

Page 41: ...P Virtual LANs This switch supports up to 255 VLANs A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network This switch supports tagged VLANs based on the IEEE 802 1Q standard Members of VLAN groups can be dynamically learned via GVRP or ports can be manually assigned to a specific set of VLANs Thi...

Page 42: ...siding in other standard or private VLAN groups while preserving security and data isolation for normal traffic Tunneling Configures tunnels for customer traffic crossing the service provider s network using IEEE 802 1Q IEEE 802 1Q Tunneling QinQ This feature is designed for service providers carrying traffic for multiple customers across their networks QinQ tunneling is used to maintain customer ...

Page 43: ... Data bits 8 Stop bits 1 Parity none Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled MAC Address Authentication Disabled Web Authentication D...

Page 44: ...ntrol Enabled all ports 64 kbits per second Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled RSTP Defaults All values based on IEEE 802 1w Fast Forwarding Edge Port Disabled LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port int...

Page 45: ...istration Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled NTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled all ports Switch Clustering Status Enabled Commander Disabled Table 1 3 System Defaults Conti...

Page 46: ...Introduction 1 10 1 This page is intentionally left blank ...

Page 47: ... 232 serial console port on the switch or remotely by a Telnet or Secure Shell SSH connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s web interface CLI configuration program and SNMP agent all...

Page 48: ...serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud rate to 9600 bps Set the data format to 8 data bits 1 s...

Page 49: ...ovides access to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those ...

Page 50: ...word in encrypted form Setting an IP Address You must establish IP address information for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the switch you will also need to specify the default gateway rout...

Page 51: ...on mode prompt Press Enter 4 To set the IP address of the default gateway for the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press Enter Dynamic Configuration If you select the bootp or dhcp option the system will immediately start broadcasting service requests IP will be enabled but will not function until a BOOTP or ...

Page 52: ...SNMP management stations send requests to the switch either to return information or to set a parameter the switch provides the requested data or sets the specified parameter The switch can also be configured to send information to SNMP managers without being requested by the managers through trap messages which inform the manager that certain events have occurred The switch includes an SNMP agent...

Page 53: ...is read only 2 To remove an existing string simply type no snmp server community string where string is the community access string to remove Press Enter Note If you do not intend to support access to SNMP version 1 and 2c clients we recommend that you delete both of the default community strings If there are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled...

Page 54: ... The switch s file system allows files to be uploaded and downloaded copied deleted and set as a start up file The three types of files are Configuration This file type stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup The file named Fact...

Page 55: ...cts the contents or usage of the file settings If you download directly to the running config the system will reboot and the settings will have to be copied from the running config to a permanent file Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile sto...

Page 56: ...orts can be defined so that power can be centrally managed preventing overload conditions at the power source If the power demand from devices connected to the switch exceeds the power budget setting the switch uses port power priority settings to limit the supplied power In the example below the power mainpower maximum allocation CLI command is used to set the PoE power budget for the switch Rang...

Page 57: ...on page 2 4 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on ...

Page 58: ...tch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 3 1 Home Page Note The examples in this chapter are based on the Ubigate iES4024GP The key differences between the Ubi...

Page 59: ...s option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down D...

Page 60: ... Operation Allows the transfer and copying of files 3 21 Delete Allows deletion of files from the flash memory 3 22 Set Start Up Sets the startup file 3 22 Line 3 25 Console Sets console port connection parameters 3 25 Telnet Sets Telnet connection parameters 3 27 Log 3 29 Logs Stores and displays error messages 3 29 System Logs Sends error messages to a logging process 3 29 Remote Logs Configures...

Page 61: ...nting of requested services for billing or security purposes 3 67 Periodic Update Sets the interval at which accounting updates are sent to RADIUS AAA servers 3 69 802 1X Port Settings Applies the specified accounting method to an interface 3 70 Command Privileges Specifies a method name to apply to commands entered at specific CLI privilege levels 3 71 Exec Settings Specifies console or Telnet au...

Page 62: ...ccess parameters for individual ports 3 104 MAC Address Information Displays Network Access statistics sorted by various attributes 3 106 MAC Authentication 3 107 Port Configuration Configures MAC Authentication parameters for ports 3 107 ACL 3 108 Configuration Configures packet filtering based on IP or MAC addresses 3 108 Port Binding Binds a port to the specified ACL 3 115 IP Filter Sets IP add...

Page 63: ...rate limit for each trunk 3 152 Output Port Configuration Sets the output rate limit for ports 3 152 Output Trunk Configuration Sets the output rate limit for trunks 3 152 Port Statistics Lists Ethernet and RMON port statistics 3 153 PoE 3 157 Power Status Displays the status of global power parameters 3 158 Power Configuration Configures the power budget for the switch 3 159 Power Port Status Dis...

Page 64: ...ot the port is tagged or untagged 3 192 Static List Used to create or remove VLAN groups 3 193 Static Table Modifies the settings for an existing VLAN 3 195 Static Membership by Port Configures membership type for interfaces including tagged untagged or forbidden 3 197 Port Configuration Specifies default PVID and VLAN attributes 3 198 Trunk Configuration Specifies default trunk VID and VLAN attri...

Page 65: ...e device connected to a port on this switch 3 225 Remote Trunk Information Displays LLDP information about a remote device connected to a trunk on this switch 3 225 Remote Information Details Displays detailed LLDP information about a remote device connected to this switch 3 226 Device Statistics Displays LLDP statistics for all connected remote devices 3 228 Device Statistics Details Displays LLD...

Page 66: ...r 3 257 IP Multicast Registration Table Displays all multicast groups active on this switch including multicast IP addresses and VLAN ID 3 258 IGMP Member Port Table Indicates multicast addresses associated with the selected VLAN 3 259 IGMP Filter Profile Configuration Configures IGMP Filter Profiles 3 262 IGMP Filter Throttling Port Configuration Configures IGMP Filtering and Throttling for ports...

Page 67: ...splays the DHCP Snooping binding information 3 122 IP Source Guard 3 123 Port Configuration Enables IP source guard and selects filter type per port 3 123 Static Configuration Adds a static addresses to the source guard binding table 3 125 Dynamic Information Displays the source guard binding table for a selected interface 3 126 Cluster 3 273 Configuration Globally enables clustering for the switc...

Page 68: ...tact Administrator responsible for the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web Server Shows if management access via HTTP is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS i...

Page 69: ...cription L2 Gigabit Ethernet PoE Standalone Switch System OID String 1 3 6 1 4 1 236 4 1 12 1 103 System Information System Up Time 0 days 2 hours 26 minutes and 30 55 seconds System Name R D 5 System Location WC 9 System Contact Ted MAC Address Unit1 00 16 B6 F0 71 3C Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enable Telnet Server Port...

Page 70: ...f built in RJ 45 ports Hardware Version Hardware version of the main board Internal Power Status Displays the status of the internal power supply Management Software EPLD Version Version number of the Electronically Programmable Logic Device code Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of r...

Page 71: ...on Console show version 4 32 Unit 1 Serial Number A622016032 Hardware Version R01 EPLD Version 0 02 Number of Ports 24 Main Power Status Up Redundant Power Status Not present Agent Master Unit ID 1 Loader Version 1 0 0 1 Boot ROM Version 1 0 0 10 Operation Code Version 1 1 0 14 Console ...

Page 72: ...ltering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 162 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration o...

Page 73: ...ss IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP address subnet mask and default gate...

Page 74: ...Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 188 Console config if ip address 192 168 1 54 255 255 255 0 4 347 Console config if exit Console config ip default gateway 192 168 1 253 4 348 Console config ...

Page 75: ...le connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Renewing DCHP DHCP may lease addresses to clients indefinitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management acc...

Page 76: ... jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Command Usage To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And f...

Page 77: ...tributes File Transfer Method The firmware copy operation includes these options file to file Copies a file within the switch directory assigning it a new name file to tftp Copies a file from the switch to a TFTP server tftp to file Copies a file from a TFTP server to the switch TFTP Server IP Address The IP address of a TFTP server File Type Specify opcode operational code to copy firmware File N...

Page 78: ...ile name of the software to download select a file on the switch to overwrite or specify a new file name then click Apply If you replaced the current firmware used for startup and want to start using the new operation code reboot the system via the System Reset menu Figure 3 9 Copy Firmware The new file is automatically set as the startup code since the switch only supports the presence of one fir...

Page 79: ...e running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to tftp Copies the startup configuration to a TFTP server tftp to file Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the start...

Page 80: ...lect tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then click Apply Figure 3 11 Downloading Configuration Settings for Startup If you download to a new file name using tftp to startup config or tftp to file the file is automatically set as the start ...

Page 81: ...ange 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time the...

Page 82: ...sword for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login1 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name acc...

Page 83: ...the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified ...

Page 84: ...y the connection parameters for Telnet access then click Apply Figure 3 14 Enabling Telnet CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level 2 CLI only Console config line vty 4 41 Console config line login local 4 41 Console config line pa...

Page 85: ...ables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM memory...

Page 86: ...6 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 2...

Page 87: ...the facility type and set the logging trap Console config logging host 192 168 1 15 4 51 Console config logging facility 23 4 51 Console config logging trap 4 4 52 Console config end Console show logging trap 4 52 Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip address 192 168 1 15 REMOTELOG server ip a...

Page 88: ... of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients Command Attributes Admin Status Enables disables the SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator ...

Page 89: ...r address to add to the SMTP Server List Email Destination Address List Specifies the email recipients of alert messages You can specify up to five recipients Use the New Email Destination Address text field and the Add Remove buttons to configure the list Email Destination Address This command specifies SMTP servers that may receive alert messages Web Click System Log SMTP To add an IP address to...

Page 90: ...th the hours before the switch resets Range 1 34560 Default 0 Reset Resets the switch after the specified time If the hour and minute fields are blank then the switch will reset immediately Refresh Refreshes the countdown timer of a pending delayed reset Cancel Cancels a pending delayed reset Console config logging sendmail host 192 168 1 4 4 56 Console config logging sendmail level 3 4 57 Console...

Page 91: ...config command see copy on page 4 35 Setting the System Clock Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also set the clock manually as described in the following section If the c...

Page 92: ...e SNTP Server field Default Disabled SNTP Poll Interval Sets the interval between sending requests for a time update from a time server Range 16 16384 seconds Default 16 seconds SNTP Server Sets the IP address for up to three time servers The switch attempts to update the time from the first server if this fails it attempts an update from the next server in the sequence Note SNTP and NTP clients c...

Page 93: ...s for an NTP server to be polled The switch requests an update from all configured servers then determines the most accurate time update from the responses received Version Specifies the NTP version supported by the server Range 1 3 Default 3 Authenticate Key Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server The authentication k...

Page 94: ...168 4 22 version 2 Console config ntp server 192 168 5 23 version 3 key 19 Console config ntp poll 60 4 64 Console config ntp client 4 62 Console config ntp authenticate 4 64 Console config exit Console show ntp 4 66 Current time Jan 1 02 58 58 2001 Poll interval 60 Current mode unicast NTP status Enabled NTP Authenticate status Enabled Last Update NTP Server 0 0 0 0 Port 0 Last Update time Dec 31...

Page 95: ... it s offset from UTC and lists at least one major city or location covered by the time zone User defined Configuration Allows the user to define all parameters of the local time zone Direction Configures the time zone to be before east or after west UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC The maximum value before UTC is 12 The...

Page 96: ... monitors the status of the switch hardware as well as the traffic passing through its ports A network management station can access this information using software such as HP OpenView Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings To communicate with the switch the management station must first submit a valid community string for authentication A...

Page 97: ...munity string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public read only defaultview none none Community string only v2c noAuthNoPriv private read write defaultview defaultview none Community string only v2c noAuthNoPriv user defined user defin...

Page 98: ...its access to the SNMP protocol Default strings public read only private read write Range 1 32 characters case sensitive Access Mode Specifies the access rights for the community string Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects Web Click SNMP Configuration Add new communi...

Page 99: ...orms can be used to ensure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable t...

Page 100: ...nly available for the SNMPv3 security model Trap Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used Timeout The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform...

Page 101: ... clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 25 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps Console config snmp server host 192 168 1 19 private version 2c 4 90 Console c...

Page 102: ...generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users A new engine ID can be specified by entering 10 to 64 hexadecimal characters 5 to...

Page 103: ...ing Trap Managers and Trap Types on page 3 43 and Configuring Remote SNMPv3 Users on page 3 50 The engine ID can be specified by entering 10 to 64 hexadecimal characters 5 to 32 octets in hexadecimal format If an odd number of characters are specified a trailing zero is added to the value to fill in the last octet For example the value 123456789 is equivalent to 1234567890 Web Click SNMP SNMPv3 Re...

Page 104: ...AuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for user au...

Page 105: ...ned group of a user click Change Group in the Actions column of the users table and select the new group Figure 3 28 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien 4 98 Console config exit Console show snmp user 4 99 EngineId 80000034030001...

Page 106: ...or the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 44 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v1 Security Level The security level used for the user...

Page 107: ... then click Delete Figure 3 29 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 4 98 Console config exit Console show snmp user 4 99 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark A...

Page 108: ...or write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree the trap is sent by a bridge soon after its election as the new root e g upo...

Page 109: ...enTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps fallingAlarm 1 3 6 1 2 1 16 0 2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is co...

Page 110: ...wer usage is above the threshold pethMainPower UsageOffNotification 1 3 6 1 4 1 236 4 1 12 1 103 173 2 1 0 46 This notification indicates that the PSE Threshold usage indication is off the usage power is below the threshold These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu The MIB Object Identifiers for the iES40...

Page 111: ...ly configured object identifiers of branches within the MIB tree that define the SNMP view Edit OID Subtrees Allows you to configure the object identifiers of branches within the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Console config snmp server gr...

Page 112: ...IB to be included or excluded in the view Click Back to save the new view and return to the SNMPv3 Views list For a specific view click on View OID Subtrees to display the current configuration or click on Edit OID Subtrees to make changes to the view settings To delete a view check the box next to the view name then click Delete Figure 3 31 Configuring SNMPv3 Views ...

Page 113: ...ess rights AAA Provides a framework for configuring access control on the switch HTTPS Settings Provide a secure web connection SSH Settings Provide a secure shell for secure Telnet access Port Security Configure secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports IP Filter Filters management access to the web SNMP or Telnet interfac...

Page 114: ...s configuration settings for a new account User Name The name of the user Maximum length 8 characters maximum number of users 16 Access Level Specifies the user level Options Normal Manager and Privileged Normal privilege level provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Manager level provi...

Page 115: ...words You can manually configure access rights on the switch or you can use a remote access authentication server based on RADIUS or TACACS protocols Remote Authentication Dial in User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devi...

Page 116: ...d client that have been encrypted using MD5 Message Digest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security You can specify up to three authentication methods for any user to indicate the authentication sequence For example if you select 1 RADIUS 2 TACACS and 3 Local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then...

Page 117: ...at of the switch s connecting interface However setting this field to an address other than that of the actual interface connecting the switch to the RADIUS server will not affect the IP address used inside the IP headers of RADIUS packets sent from the switch Some AAA clients may try to change the attribute 4 address Setting the NAS IP address in the attribute 4 field prevents these clients from ...

Page 118: ...tication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 33 Authentication Settings ...

Page 119: ...Console config radius server 1 host 192 168 1 25 4 105 Console config radius server attribute 4 192 168 1 1 4 107 Console config end Console show radius server 4 109 Remote RADIUS Server Configuration Global Settings Authentication Port 1812 Accounting Port 1813 Retransmit Times 5 Request Timeout 10 seconds Attributes NAS IP Address 4 192 168 1 1 Server 1 Server IP Address 192 168 1 25 Authenticat...

Page 120: ...ttings Global Provides globally applicable TACACS encryption key settings Server Index Specifies the index number of the TACACS server for which an encryption key may be configured The switch currently supports only one TACACS server Secret Text String Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Console configure Co...

Page 121: ... follows Authentication Identifies users that request access to the network Authorization Determines if users can access specific services Accounting Provides reports auditing and billing for services that users have accessed on the network The AAA functions require the use of configured RADIUS or TACACS servers in the network The security servers can be defined as sequential groups that are then ...

Page 122: ... the method names to port or line interfaces Note This guide assumes that RADIUS and TACACS servers have already been configured to support AAA The configuration of RADIUS and TACACS server software is beyond the scope of this guide refer to the documentation provided with the RADIUS or TACACS server software Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the co...

Page 123: ...s Enter the TACACS group name followed by the number of the server then click Add Figure 3 36 AAA TACACS Group Settings CLI Specify the group name for a list of TACACS servers and then specify the index number of a TACACS server to add it to the group Configuring AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes Command At...

Page 124: ...ections Accounting Notice Records user activity from log in to log off point Group Name Specifies the accounting server group Range 1 255 characters The group names radius and tacacs specifies all configured RADIUS and TACACS hosts see Configuring Local Remote Logon Authentication on page 3 59 Any other group name refers to a server group configured on the RADIUS or TACACS Group Settings pages Web...

Page 125: ... the local accounting service updates information to the accounting server Range 1 2147483647 minutes Default Disabled Web Click Security AAA Accounting Periodic Update Enter the required update interval and click Apply Figure 3 38 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes Console config aaa accounting dot1x tps start stop group radius 4 116 ...

Page 126: ...apply to the interface This method must be defined in the AAA Accounting Settings menu page 3 66 Range 1 255 characters Web Click Security AAA Accounting 802 1X Port Settings Enter the required accounting method and click Apply Figure 3 39 AAA Accounting 802 1X Port Settings CLI Specify the accounting method to apply to the selected interface Console config interface ethernet 1 2 Console config if...

Page 127: ...d at the specified CLI privilege level Web Click Security AAA Accounting Command Privileges Enter a defined method name for console and Telnet privilege levels Click Apply Figure 3 40 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for console and Telnet privilege levels Console config line console 4 41 Console config line accounting commands 15 tps method 4 120 Con...

Page 128: ... user sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group List Displays the accounting server group Interface Displays the port or trunk to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface AAA Ac...

Page 129: ...y applied accounting methods and registered users Console show accounting 4 122 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group List tps radius Interface Accounting Type Exec Method List default Group List tacacs Interface Accounting Type Commands 0 Method List default Group List tacacs Interface ...

Page 130: ...guring Local Remote Logon Authentication on page 3 59 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Web Click Security AAA Authorization Settings To configure a new authorization method specify a method name and a group name select the service then click Add Figure 3 43 AAA Authorization Settings CLI Sp...

Page 131: ...ons Web Click Security AAA Authorization Exec Settings Enter a defined method name for console and Telnet connections and click Apply Figure 3 44 AAA Authorization Exec Settings CLI Specify the authorization method to use for Console and Telnet interfaces Console config line console 4 41 Console config line authorization exec tps auth 4 122 Console config line exit Console config line vty Console ...

Page 132: ...ole or Telnet interface to which the authorization method applies This field is null if the authorization method and associated server group has not been assigned Web Click Security AAA Authorization Summary Figure 3 45 AAA Authorization Summary CLI This example displays the configured authorization methods and the interfaces to which they are applied Console show accounting 4 122 Accounting type ...

Page 133: ...ng and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 78 C...

Page 134: ...g that the connection to the switch is secure you must obtain a unique certificate and a private key and password from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obt...

Page 135: ...oft Windows and other environments These tools including commands such as rlogin remote login rsh remote shell and rcp remote copy are not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can also provide remote management access to this switch as a secure replacement for Telnet When...

Page 136: ...An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 519417467729848654686157177393901647793559423035774130980227370877945452 408397175264...

Page 137: ...secret key to generate a random 256 bit string as a challenge encrypts this string with the user s public key and sends it to the client d The client uses its private key to decrypt the challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client against that computed for the original string it sent If the two checksum...

Page 138: ...lus Host Key Type The key type used to generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default RSA The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption Note The switch uses only RSA Version 1 for ...

Page 139: ...8320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2Or...

Page 140: ...h to manage Note that you must first create users on the User Accounts page See Configuring User Accounts on page 3 58 Public Key Type The type of public key to upload RSA The switch accepts a RSA version 1 encrypted public key DSA The switch accepts a DSA version 2 encrypted public key The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch a...

Page 141: ... SSH User Public Key Settings Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name and then click Copy Public Key Figure 3 49 SSH User Public Key Settings ...

Page 142: ...lic key type 1 RSA 2 DSA 1 2 2 Source file name admin ssh2 dsa pub key Username admin TFTP Download Success Write to FLASH Programming Success Console show public key user admin 4 135 admin RSA 1024 37 154886675541099600242673908076171863880953984597454546825066951007 29617437427136900505591624068119579408716226078634780682201498685790475062 34519480679939485042653504179153032795337422103356695026...

Page 143: ...ost key pair on the SSH Host Key Settings page before you can enable the SSH server Figure 3 50 SSH Server Settings CLI This example enables SSH sets the authentication parameters and displays the current configuration It shows that the administrator has made a connection via SHH and then disables this connection Console config ip ssh server 4 129 Console config ip ssh timeout 100 4 130 Console co...

Page 144: ...nt can reject the authentication method and request another depending on the configuration of the client software and the RADIUS server The encryption method used to pass authentication messages can be MD5 Message Digest 5 TLS Transport Layer Security PEAP Protected Extensible Authentication Protocol or TTLS Tunneled Transport Layer Security The client responds to the appropriate method with its c...

Page 145: ...ise the dot1x client must support the required authentication method Displaying 802 1X Global Settings The 802 1X protocol provides port based client authentication Command Attributes 802 1X System Authentication Control The global setting for 802 1X Web Click Security 802 1X Information Figure 3 51 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show...

Page 146: ...een the switch and authentication server These parameters are described in this section Command Attributes Port Port number Status Indicates if authentication is enabled or disabled on the port Default Disabled Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Options Single Host Multi Host Default Single Host Max Count The maximum number of hosts that ...

Page 147: ...ets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Intrusion Action Sets the port s response to a failed authentication Block Traffic Blocks all non EAP traffic on the port This is the default setting Guest VLAN All traffic for the port is assigned to a guest VLAN The guest VLAN must be separately configu...

Page 148: ...ot1x 4 143 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 24 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx peri...

Page 149: ... of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the most ...

Page 150: ...Usage The management interfaces are open to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager Console show ...

Page 151: ...ange just by specifying the start address or by specifying both the start address and end address Command Attributes Web IP Filter Configures IP address es for the web group SNMP IP Filter Configures IP address es for the SNMP group Telnet IP Filter Configures IP address es for the Telnet group IP Filter List IP address which are allowed management access to this interface Start IP Address A singl...

Page 152: ...ned VLAN See Private VLANs on page 3 209 Port Security Configure secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports See Configuring 802 1X Port Authentication on page 3 88 Web Authentication Allows stations to authenticate and access the network in situations where 802 1X or Network Access authentication methods are infeasible or im...

Page 153: ...er of addresses to allow on the port and then let the switch dynamically learn the source MAC address VLAN pair for frames received on the port Note that you can also manually add secure addresses to the port using the Static Address Table page 3 162 When the port has reached the maximum number of MAC addresses the selected port will stop learning The MAC addresses already in the address table wil...

Page 154: ...ituations where 802 1X or Network Access authentication are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates username ...

Page 155: ...Attempts Configures the number of times a supplicant may attempt and fail authentication before it must wait the configured quiet period Range 1 3 attempts Default 3 attempts Web Click Security Web Authentication Configuration Figure 3 57 Web Authentication Configuration CLI This example globally enables the system authentication control configures the session timeout quiet period and login attemp...

Page 156: ...Configuration Set the status box to enabled for any port that requires web authentication and click Apply Figure 3 58 Web Authentication Port Configuration CLI This example enables web authentication for ethernet port 1 5 and displays a summary of web authentication parameters Console config interface ethernet 1 5 4 188 Console config if web auth 4 161 Console config if end Console show web auth s...

Page 157: ...ation Figure 3 59 Web Authentication Port Information CLI This example displays web authentication parameters for port 1 5 Re authenticating Web Authenticated Ports The switch allows an administrator to manually force re authentication of any web authenticated host connected to any port Command Attributes Interface Indicates the port to query Host IP Indicates the IP address of the host selected f...

Page 158: ...network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server While authentication for a MAC address is in progress all traffic is blocked until authentication is completed On successful authentication the...

Page 159: ... however there are two configurable parameters that apply globally to all ports on the switch Command Attributes Authenticated Age The secure MAC address table aging time This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table Aging Time web page see page 3 164 Default 300 seconds MAC Authentication Reauthentication Time Sets the ti...

Page 160: ... 802 1X on page 3 90 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to create the VLANs Default Enabled The VLAN settings specified by the first authenticated MAC address are implemented for a port Other authent...

Page 161: ...onfig if network access mode mac authentication 4 152 Console config if network access max mac count 10 4 153 Console config if mac authentication max mac count 24 4 155 Console config if network access dynamic vlan 4 153 Console config if network access guest vlan 4 154 Console config if end Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 18...

Page 162: ...namic addresses Address Table Sort Key Sorts the information displayed based on MAC address or port interface Port The port interface associated with a secure MAC address MAC Address The authenticated MAC address RADIUS Server The IP address of the RADIUS server that authenticated the MAC address Time The time when the MAC address was last authenticated Attribute Indicates a static or dynamic addr...

Page 163: ... following parameters are unavailable for modification if MAC Authentication is not enabled for the port Max MAC Count The maximum allowed amount of MAC authenticated MAC addresses on the port Default 1024 Range 1 1024 Intrusion Action The switch can respond in two ways to an intrusion Block Traffic All traffic for the unauthenticated host is blocked Pass Traffic All traffic for the unauthenticate...

Page 164: ...sequential list of permit or deny conditions that apply to IP addresses MAC addresses or other more specific criteria This switch tests ingress or egress packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit rules the packet is dropped and if no rules ...

Page 165: ...s Type There are three filtering modes Standard IP ACL mode that filters packets based on the source IP address Extended IP ACL mode that filters packets based on source or destination IP address as well as protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code MAC MAC ACL mode that filters packets based on the source ...

Page 166: ...cate match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an addres...

Page 167: ...rs indicates a specific protocol number 0 255 Options TCP UDP Others Default TCP Source Destination Port Source destination port number for the specified protocol type Range 0 65535 Source Destination Port Bitmask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Co...

Page 168: ...g packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the TCP...

Page 169: ... Class of Service value Range 0 7 CoS Bitmask Class of Service bitmask Range Range 0 7 VID VLAN ID Range 1 4094 VID Mask VLAN bitmask Range 0 4095 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bi...

Page 170: ...ddress range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 68 Configuring MAC ACLs CLI This example configures one permit rule for all source mac addresses to communicate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Console config mac acl permit any...

Page 171: ...P Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets Web Click Security ACL Port Binding Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic select the required ACL from the drop down list then click Apply Figure 3 69 Configuring ACL Port Binding CLI This example assigns an IP access list to port 1 a...

Page 172: ... is 100 packets per second Any DHCP packets in excess of this limit are dropped When DHCP snooping is enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLA...

Page 173: ... takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped Configuring DHCP Snooping Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch or to configure MAC Address Verification Command Attributes DHCP Snooping Status Enables DHCP snooping globally Default Disabled DHCP Snooping MAC Address...

Page 174: ...binding table Command Attributes VLAN ID ID of a configured VLAN Range 1 4094 DHCP Snooping Status Enables or disables DHCP snooping for the selected VLAN Web Click DHCP Snooping VLAN Configuration Figure 3 71 DHCP Snooping VLAN Configuration CLI This example first enables DHCP Snooping for VLAN 1 Configuring the DHCP Snooping Information Option DHCP provides a relay mechanism for sending informat...

Page 175: ...eady includes DHCP Option 82 information The switch can be configured to set the action policy for these packets The switch can either drop the DHCP packets keep the existing information or replace it with the switch s relay information Command Attributes DHCP Snooping Information Option Status Enables or disables DHCP Option 82 information relay Default Disabled DHCP Snooping Information Option P...

Page 176: ...ed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or firewall to trusted state Set all other ports outside the local network or firewall to untrusted state Console config ip dhcp snooping information option 4 169 C...

Page 177: ...oping Trust Status for ports Console config interface ethernet 1 5 Console config if ip dhcp snooping trust 4 167 Console config if end Console show ip dhcp snooping 4 171 Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs Verify Source Mac Address enable Interface Trusted E...

Page 178: ...es from flash Removes all dynamically learned snooping entries from flash memory No Entry number for DHCP snooping binding information Unit Stack unit Port Port number VLAN ID VLAN for which DHCP snooping has been enabled MAC Address Physical address associated with the entry IP Address IP address corresponding to the client IP Address Type Indicates an IPv4 or IPv6 address type Lease Time Seconds...

Page 179: ...ress If no matching entry is found the packet is dropped When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping see Configuring DHCP Snooping on page 3 117 or static addresses configured in the source guard binding table If IP source guard is enabled an inbound packet s IP address sip option or both its IP address and corresponding MAC address sip mac option will be ...

Page 180: ...nding MAC addresses stored in the binding table Web Click IP Source Guard Port Configuration Set the required filtering type for each port and click Apply Figure 3 75 IP Source Guard Port Configuration CLI This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets against the binding table Console config interface ethernet 1 5 Console config if ip...

Page 181: ...with the same VLAN ID and MAC address a new entry is added to the binding table using the type static IP source guard binding If there is an entry with the same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with the same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping bindi...

Page 182: ...P Source Guard Bindings Use the Dynamic Information page to display the source guard binding table for a selected interface Command Attributes Query by Select an interface to display the source guard binding Options Port VLAN MAC Address or IP Address Dynamic Binding Table Counts Displays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP add...

Page 183: ...7 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard binding 4 175 MacAddress IpAddress Lease sec Type VLAN Interface 00 10 60 db 37 6b 192 168 0 4 2147482988 dhcp snooping 1 Eth 1 3 Console ...

Page 184: ...own Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type6 Media type used for the combo ports Options Copper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member6 ...

Page 185: ...cast storm control is enabled or disabled Broadcast Storm Limit Shows the broadcast storm threshold 240 1488100 packets per second Multicast Storm Shows if multicast storm control is enabled or disabled Multicast Storm Limit Shows the multicast storm threshold 64 1 000 000 kilobits per second Unknown Unicast Storm Shows if unknown unicast storm control is enabled or disabled Unknown Unicast Storm ...

Page 186: ...s will be negotiated between the link partners based on their advertised capabilities To set the speed duplex mode or flow control under auto negotiation the required operation modes must be specified in the capabilities list for an interface The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or Console sho...

Page 187: ...regardless of the mode configured at the other end of the link To force 1000full operation requires the ports at both ends of a link to establish their role in the connection process as a master or slave Before using this feature auto negotiation must first be disabled and the Speed Duplex attribute set to 1000full Then select compatible Giga PHY modes at both ends of the link Note that using one ...

Page 188: ...000BASE SX LX LH 1000full Media Type Configures the forced preferred port type to use for the combination ports Ports 25 28 on iES4028F 27 28 on iES4028FP and 23 24 on iES4024GP Copper Forced Always uses the built in RJ 45 port SFP Forced Always uses the SFP port even if module is not installed SFP Preferred Auto Uses SFP port if both combination types are functioning and the SFP port has a valid ...

Page 189: ...SW 13 4 189 Console config if shutdown 4 195 Console config if no shutdown Console config if no negotiation 4 190 Console config if speed duplex 100half 4 189 Console config if flowcontrol 4 192 Console config if negotiation Console config if capabilities 100half 4 191 Console config if capabilities 100full Console config if capabilities flowcontrol Console config if ...

Page 190: ...fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the devices at both ends When using a port trunk ...

Page 191: ... and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 8 Port Port identifier Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Web Click Port Trunk Membership Enter a trunk ID of 1 8 in the Trunk ...

Page 192: ...st be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3 135 Console config interface port channel 2 4 188 Console config if exit Console config interface ethernet 1 1 4 188 Console config if channel group 2 4 203 Console config if exit Console config interface ethernet 1 2 Consol...

Page 193: ...ields for creating new trunks Port Port identifier Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 81 LACP Trunk Configuration ...

Page 194: ...d i e it has a null value of 0 this key is set to the same value as the port admin key used by the interfaces that joined the group lacp admin key as described in this section and on page 4 206 Console config interface ethernet 1 1 4 188 Console config if lacp 4 204 Console config if exit Console config interface ethernet 1 6 Console config if lacp Console config if end Console show interfaces sta...

Page 195: ...the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Admin Key The LACP administration key must be set to the same value for ports that belong to the same LAG Range 0 65535 Default 1 Port Priority If a link goes down LACP port priority is used to select a backup link Range 0 65535 Default 32768 Set Port Partner This menu sets the remote ...

Page 196: ...You can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 3 82 LACP Port Configuration ...

Page 197: ...e group Note that when the LAG is no longer used the port channel admin key is reset to 0 Console config interface ethernet 1 1 4 188 Console config if lacp actor system priority 3 4 205 Console config if lacp actor admin key 120 4 206 Console config if lacp actor port priority 128 4 208 Console config if exit Console config interface ethernet 1 4 Console config if lacp actor system priority 3 Con...

Page 198: ...DUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but...

Page 199: ...counters 4 209 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker Sent 0 Marker Receive 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 3 9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Interval Number of seconds b...

Page 200: ...rotocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with...

Page 201: ...n Information Field Description Partner Admin System ID LAG partner s system ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admi...

Page 202: ...remote side of port channel 1 Console show lacp 1 neighbors 4 209 Port channel 1 neighbors Eth 1 1 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 3 00 12 CF CE 2A 20 Partner Admin Port Number 5 Partner Oper Port Number 3 Port Admin Priority 32768 Port Oper Priority 128 Admin Key 0 Oper Key 120 Admin State defaulted distributing collecting synchronization long timeout Oper S...

Page 203: ...t This means that when mulicast storm control is enabled broadcast storm control is also enabled using the threshold value set by the multicast storm control command And when unknown unicast storm control is enabled both multicast and unknown unicast storm control are also enabled using the threshold value set by the unknown unicast storm control command Note Multicast and unknown unicast storm th...

Page 204: ... config if switchport broadcast packet rate 500 4 195 Console config if end Console show interfaces switchport ethernet 1 2 4 199 Information of Eth 1 2 Broadcast Threshold Enabled 500 Kbits second Multicast Threshold Disabled Unknown unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN Membershi...

Page 205: ...shold as percentage of port bandwidth Range 64 100000 kilobits per second for Fast Ethernet ports 64 1000000 kilobits per second for Gigabit ports Default 64 kilobits per second Trunk Shows if port is a trunk member Web Click Configuration Port Port Multicast Control or Trunk Multicast Control Check the Enabled box for any interface set the threshold and click Apply Figure 3 1 Port Multicast Contr...

Page 206: ...d as percentage of port bandwidth Range 64 100000 kilobits per second for Fast Ethernet ports 64 1000000 kilobits per second for Gigabit ports Default 64 kilobits per second Trunk Shows if port is a trunk member Web Click Configuration Port Port Unknown Unicast Control or Trunk Unknown Unicast Control Check the Enabled box for any interface set the threshold and click Apply Figure 3 2 Port Unknown...

Page 207: ...ributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx Target Port The port that will mirror the traffic on the source port Range 1 28 on iES4028F iES4028FP 1 24 on iES4024G...

Page 208: ...t configuration pages to apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port trunk number Rate Limit Status Enables or disables the rate limit Default Disabled Rate Limit Sets the rate limit level Range 64 100000 kilobits per second for Fast Ethernet ports 64 to 1000000 kilobits per seco...

Page 209: ...at this sub layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for disc...

Page 210: ...articular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR m...

Page 211: ...er of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted ...

Page 212: ...ing the Switch 3 156 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 90 Port Statistics ...

Page 213: ...within the switch s budget ports set at critical or high priority have power enabled in preference to those ports set at low priority during bootup For example when a device is connected to a port set to critical priority the switch supplies the required power if necessary by denying power to ports set for a lower priority during bootup Console show interfaces counters ethernet 1 13 4 198 Ethernet...

Page 214: ...onnected to the switch Thermal Temperature10 The internal temperature of the switch Software Version The version of software running on the PoE controller subsystem in the switch Web Click PoE Power Status Figure 3 91 Displaying the Global PoE Status CLI This example displays the current power status for the switch 10 This parameter is not supported for the current hardware Console show power main...

Page 215: ... to control the supplied power Range 37 180 watts Default 180 Watts Web Click PoE Power Config Specify the desired power budget for the switch Click Apply Figure 3 92 Setting the Switch Power Budget CLI This example sets the PoE power budget for the switch to the maximum level Displaying Port Power Status Use the Power Port Status page to display the current PoE power status for all ports Command ...

Page 216: ... not turned on If a device is connected to a critical or high priority port and would cause the switch to exceed its power budget as determined during booting up power is provided to the port only if the switch can drop power to one or more lower priority ports and thereby remain within its overall budget If a device is connected to a port after the switch has finished booting up and would cause t...

Page 217: ... Power Allocation Sets the power budget for the port Range 3000 15400 milliwatts Default 15400 milliwatts Web Click PoE Power Port Configuration Enable PoE power on selected ports set the priority and the power budget and then click Apply Figure 3 94 Configuring Port PoE Power CLI This example sets the PoE power budget for port 1 to 8 watts the priority to high 2 and then enables the power Console...

Page 218: ...re bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts11 The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static add...

Page 219: ...e Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dynamic Ad...

Page 220: ...which a learned entry is discarded Range 10 630 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 3 97 Setting the Address Aging Time CLI This example sets the aging time to 300 seconds Console show mac address table interface ethernet 1 1 4 224 Interface Mac Address Vlan Type Eth 1 1 00 12 CF 48 82 93 1 Delete on reset Eth 1 1 00 12 CF...

Page 221: ...orwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Once a stable ne...

Page 222: ...ds a Internal Spanning Tree IST for the Region containing all commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 3 181 An MST Region may contain multiple MSTP Instances An Internal Spanning Tree ...

Page 223: ...rop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 2 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch 3 When configured for manual release mode then a link down up event will not release the port from the discarding state Field Attributes Port Indicates the interface to be configured Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Stat...

Page 224: ...interfaces which includes both ports and trunks Hello Time Interval in seconds at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In ...

Page 225: ...ion provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must r...

Page 226: ... tree 4 246 Spanning tree information Spanning Tree Mode RSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0013F7D37E60 Current Root Port 54 Current Root Cost ...

Page 227: ...ning Tree Protocol MSTP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance To allow multiple spanning trees to operate over the network you must configure a ...

Page 228: ... seconds at which the root device transmits a configuration message Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Maximum Age The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA i...

Page 229: ... the minimum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 Configuration Settings for MSTP Max Instance Numbers The maximum number of MSTP instances to which this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision13 ...

Page 230: ...Configuring the Switch 3 174 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 100 Configuring Spanning Tree ...

Page 231: ...ng If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning stat...

Page 232: ...t bridge i e root port connecting a LAN through the bridge to the root bridge i e designated port or is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivity if other bridges bridge ports or LANs fail or are removed The role is set to disabled i e disabled port if a port has no role within the spanning tree Trunk Member Indicates if a port is a memb...

Page 233: ...ncluded for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or...

Page 234: ...eceives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses Trunk14 Indicates if a port is a member of a trunk ST...

Page 235: ...nge 0 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method15 1 200 000 000 for the long path co...

Page 236: ...to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to for...

Page 237: ... VLANs which cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 3 133 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spa...

Page 238: ...4 Default 0 VLAN ID VLAN to assign to this selected MST instance Range 1 4094 The other global attributes are described under Displaying Global Settings page 3 168 The attributes displayed by the CLI for individual interfaces are described under Displaying Interface Settings page 3 175 Web Click Spanning Tree MSTP VLAN Configuration Select an instance identifier from the list set the instance prio...

Page 239: ...ello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 0013F7D37E60 Current Root Port 27 Current Root Cost 10000 Number of Topology Changes 1 Last Topology Change Time sec 7114 Transmission Limit 3 Path Cost Method Long Flooding Behavior To VLAN Eth 1 1 Information Admin Status Enabled Role Designate State Forwarding External Admin Path ...

Page 240: ... in the selected MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 Note The other attributes are described under Displaying Interface Settings on page 3 175 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 104 Displaying MSTP Interface Settings ...

Page 241: ... Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 0013F7D37E60 Current Root Port 27 Current Root Cost 10000 Number of Topology Changes 1 Last Topology Change Time sec 7449 Transmission Limit 3 Path Cost Method Long Flooding Behavior To VLAN Eth 1 1 Information Admin Status Enabled Role Designate State Forwarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper ...

Page 242: ...the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin ...

Page 243: ... is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or multicast gro...

Page 244: ...ame VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices...

Page 245: ...e message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a network first add the host devic...

Page 246: ... tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Pr...

Page 247: ...h Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 107 Displaying Basic VLAN Information CLI Enter the following command 16 Web Only Console show bridge ext 4 250 Max Support VLAN Numbers 256 Max Support VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Lea...

Page 248: ...d VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 3 108 ...

Page 249: ...ier for a new VLAN group The VLAN name is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters no spaces Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Enables or disables the specified ...

Page 250: ...Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S VLAN ID 2 Type Static Name RD Status Active Ports Port Channels VLAN ID 4093 Type Static Name Status Active Por...

Page 251: ... the VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that is carry a...

Page 252: ...Figure 3 110 Configuring a VLAN Static Table CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 4 188 Console config if switchport allowed vlan add 2 tagged 4 260 Console config if exit Console config interface ethernet 1 2 Console config if switchport allowed vlan add 2 untagged Console config if exit Console config interface ethernet 1 13 Con...

Page 253: ... by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 111 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a...

Page 254: ...or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Ingress Filtering is always enabled Default Enabled Ingress filtering only affects tagged frames If ingress fi...

Page 255: ...raffic generated by nodes rejoining the group Range 500 18000 centiseconds Default 1000 Mode Indicates VLAN membership mode for an interface Default Hybrid Access Sets the port to operate as an untagged interface All frames are sent untagged 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the...

Page 256: ...ce provider s network and then stripping the tags when the frames leave the network A service provider s customers may have specific requirements for their internal VLAN IDs and number of VLANs supported VLAN ranges required by different customers in the same service provider network might easily overlap and traffic passing through the infrastructure might be mixed Assigning a unique range of VLAN...

Page 257: ...t enters another trunk port in an intermediate or core switch in the service provider s network the outer tag is stripped for packet processing When the packet exits another trunk port on the same core switch the same SPVLAN tag is again added to the packet When a packet enters the trunk port on the service provider s egress switch the outer tag is again stripped for packet processing However the ...

Page 258: ...be stripped If it is a tagged member the outgoing packets will have two tags Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets Untagged One tag CVLAN or SPVLAN Double tag CVLAN SPVLAN The ingress process does source and destination lookups If both lookups are successful the ingress process writes the packet to memory Then the egress proc...

Page 259: ...uses non customer packets to be forwarded to the SPVLAN Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ configuration is consistent within a trunk port group The native VLAN VLAN 1 is not normally added to transmitted frames Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration Instead use VLAN 1 as a management VLAN inst...

Page 260: ...tom 802 1Q ethertype value on the selected interface This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example if 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field a...

Page 261: ...e of the port None The port operates in its normal VLAN mode This is the default 802 1Q Tunnel Configures IEEE 802 1Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider network Trunk Member Sho...

Page 262: ...ough the uplink ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to be compromised Note Due to switch ASIC limitations traffic segmentation is not supported on the iES4024GP Console config interface ethernet 1 2 4 188 Console config if switchport dot1q tunnel mode access 4 264 Console config if interface ethernet 1 3 Console...

Page 263: ...les traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions Configuring Traffic Segmentation Sessions Use the Traffic Segmentation Session Configuration page to create a client session and assign the downlink and uplink ports to service the traffic associated with each session Command Attributes Session ID Traffic segmentation session R...

Page 264: ... enables traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions Console config pvlan session 1 uplink ethernet 1 24 downlink ethernet 1 14 268 Console config exit Console show pvlan 4 270 Private VLAN Status Enabled Uplink to Uplink Mode Forwarding Session Uplink Ports Downlink Ports 1 Ethernet 1 24 Ethernet 1 1 Ethernet 1 2 Ethernet 1...

Page 265: ... Private VLAN Configuration menu page 3 210 to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Private VLAN Association menu page 3 211 to map the secondary i e community VLAN s to the primary VLAN 3 Use the Private VLAN Port Configuration menu page 3 213 to set the port type to promiscuous i e having access to all ports in ...

Page 266: ...n only pass through port 3 Configuring Private VLANs The Private VLAN Configuration page is used to create remove primary or community VLANs Command Attributes VLAN ID ID of configured VLAN 2 4094 Type There are two types of private VLANs Primary VLANs Conveys traffic between promiscuous ports and to community ports within secondary or community VLANs Community VLANs Conveys traffic between commun...

Page 267: ...d with a primary VLAN Command Attributes Primary VLAN ID ID of primary VLAN 2 4094 Association Community VLANs associated with the selected primary VLAN Non Association Community VLANs not associated with the selected VLAN Web Click VLAN Private VLAN Association Select the required primary VLAN from the scroll down box highlight one or more community VLANs in the Non Association list box and click...

Page 268: ...is an isolated port that can only communicate with the lone promiscuous port within its own isolated VLAN Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs Community VLAN A community VLAN conveys traffic between co...

Page 269: ... assigned to a private VLAN Host The port is a community port A community port can communicate with other ports in its own community VLAN and with designated promiscuous port s Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated seconda...

Page 270: ...erent VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the physical network into logical VLAN groups for each required protocol When a frame is received at a por...

Page 271: ... Group ID assigned to the Protocol VLAN Group Range 1 2147483647 Frame Type Choose either Ethernet RFC 1042 or LLC Other as the frame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP and RARP If LLC Other is chosen for the Frame Type the only available Protocol Type is IPX Raw Note Traffic which matches IP Protocol Ethernet Frames is ma...

Page 272: ... matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Web Click VLAN Protocol VLAN System ...

Page 273: ...abling LLDP on the switch setting the message ageout time and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB Command Attributes LLDP Enables LLDP globally on the switch Default Enabled Transmission Interval Configures the periodic transmit interval for LLDP advertisements Range 5 32768 seconds Default 30 seconds This attribute must comply wit...

Page 274: ...between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss MED Fast Start Count Configures the amount of LLDP MED Fast Start ...

Page 275: ...E 802 1AB the LLDP MED MIB ANSI TIA 1057 or vendor specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs For information on defining SNMP trap destinations see Specifying Trap Managers and Trap Types on page 3 43 Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap notification are included in th...

Page 276: ... address TLV Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address reported by this TLV System Name The system name is taken from the sysName object in RFC 3418 which contains the system s admin...

Page 277: ...er pertinent information MED Notification Enables the transmission of SNMP trap notifications about LLDP MED changes Default Enabled Trunk The trunk identifier Port Information only Web Click LLDP Port Trunk Configuration Set the LLDP transmit receive mode specify whether or not to send SNMP trap messages select the information to advertise in LLDP messages select the information to advertise in M...

Page 278: ... description 4 295 Console config if lldp basic tlv management ip address 4 294 Console config if lldp basic tlv system name 4 296 Console config if lldp basic tlv system capabilities 4 295 Console config if lldp medtlv extPoe 4 300 Console config if lldp medtlv inventory 4 301 Console config if lldp medtlv location 4 301 Console config if lldp medtlv med cap 4 302 Console config if lldp medtlv ne...

Page 279: ...l packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Description A string that indicates the port s...

Page 280: ...nd 4 gigabit ports with PoE switch System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 01 02 03 04 08 Ethernet Port on unit ...

Page 281: ...is LLDPDU was transmitted Port Name A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field System Name An string that indicates the system s administratively assigned name Web Click LLDP Remote Port Trunk Information Figure 3 127 LLDP Remote Port Information CLI This example displays LLDP information for remote devices attached to...

Page 282: ...g that contains the specific identifier for the port from which this LLDPDU was transmitted System Name An string that indicates the system s configures assigned name System Description A textual description of the network entity System Capabilities Supported The capabilities that define the primary function s of the system See Table 3 16 System Capabilities on page 223 System Capabilities Enabled...

Page 283: ... to a specific port on this switch Console show lldp info remote device detail ethernet 1 1 4 306 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 04 06 SysName SysDescr L2 Fast Ethernet POE standalone Switch PortDescr Ethernet Port on unit 1 port 1 SystemCapSupported Bridge SystemCapEnabl...

Page 284: ... have been removed from the LLDP remote systems MIB for any reason Neighbor Entries Dropped Count The number of times which the local remote database dropped an LLDPDU because of insufficient resources Neighbor Entries Age out Count The number of times that a neighbor s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired Interface Statistics on LL...

Page 285: ...r of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequence attributes or any other reason Neighbor Ageouts A count of the times that a neighbor s information has been deleted fro...

Page 286: ...ffered in the switch due to congestion This switch supports CoS with four priority queues for each port Data packets in a port s high priority queue will be transmitted before those in the lower priority queues You can set the default priority for each interface and configure the mapping of frame priority tags to the switch s priority queues switch show lldp info statistics detail ethernet 1 1 4 3...

Page 287: ...both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used If the output port is an untagged member of the associated VLAN these frames are stripped of all VLAN tags prior to transmission Command Attributes Default Priority18 The priority that is assigned to...

Page 288: ...erface ethernet 1 3 4 188 Console config if switchport priority default 5 4 309 Console config if end Console show interfaces switchport ethernet 1 3 4 199 Information of Eth 1 3 Broadcast Threshold Enabled 64 Kbits second Multicast Threshold Disabled Unknown unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits ...

Page 289: ...ic values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch 4 Controlled Load 5 Video less than 100 milliseconds latency and jitter 6 Voice less than 10 milliseconds latency and jitter 7 Network Control 19 CLI shows Queue ID Console config interface ethernet 1 1 4 188 Console config if queue cos map 0 0 4 310 Cons...

Page 290: ...shares bandwidth at the egress ports by using scheduling weights with default values of 1 2 4 8 for queues 0 through 3 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues Web Click Priority Queue Mode Select Strict or WRR then click Apply Figure 3 133 Queue Mod...

Page 291: ...hod of prioritizing layer 3 4 traffic to meet application requirements Traffic priorities can be specified in the IP header of a frame using the priority bits in the Type of Service TOS octet or the number of the TCP port If the priority bits are used the TOS octet may contain six bits for Differentiated Services Code Point DSCP service When these service is enabled the priorities are mapped to a ...

Page 292: ...g Disabled IP DSCP Maps layer 3 4 priorities using Differentiated Services Code Point Mapping Web Click Priority IP DSCP Priority Status Select IP DSCP from the drop down menu then click Apply Figure 3 135 IP DSCP Priority Status CLI The following example globally enables DSCP Priority service on the switch Console config map ip dscp 4 313 Console config end Console show map ip dscp 4 315 dscp Map...

Page 293: ...that all the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps the selected DSCP Priority value a CoS value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Select an entry from the DSCP t...

Page 294: ...outers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However note that detailed examination of packets should take place close to the network ed...

Page 295: ...vice Policy to assign a policy map to a specific interface Configuring a Class Map A class map is used for matching packets to a specified class Command Usage To configure a Class Map follow these steps Open the Class Map page and click Add Class When the Class Configuration page opens fill in the Class Name field and click Add When the Match Class Settings page opens specify type of traffic for t...

Page 296: ...rs to the criteria specified by the lone match command Description A brief description of a class map Range 1 64 characters Add Adds the specified class Back Returns to previous page with making any changes Match Class Settings Class Name List of class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 charac...

Page 297: ...les to change the rules of an existing class Figure 3 137 Configuring Class Maps CLI This example creates a class map call rd_class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any 4 317 Console config cmap match ip dscp 3 4 318 Console config cmap ...

Page 298: ...lso note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the Burst field and the average rate at which tokens are removed from the bucket is specified by the Rate option After using the policy map to define packet classification service tagging and b...

Page 299: ...Name Name of class map Action Configures the service provided to ingress traffic by setting a CoS or IP DSCP value in a matching packet as specified in Match Class Settings on page 3 239 Range CoS 0 7 DSCP 0 63 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or maximum port sp...

Page 300: ...h 3 244 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 138 Configuring Policy Maps ...

Page 301: ...ommand Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 3 139 Service Policy Settings CLI Th...

Page 302: ...ng the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member the Voice VLAN Alternatively switch ports can be manually configured Configuring VoIP Traffic To configure the switch for VoIP traffic first enable the automatic detection of VoIP device...

Page 303: ...ember to the Voice VLAN when VoIP traffic is detected on the port You must select a method for detecting VoIP traffic either OUI or 802 1ab LLDP When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list Manual The Voice VLAN feature is enabled on the port but the port must be manually added to the Voice VLAN Security Enables security filtering that discards any non...

Page 304: ...ed on See Link Layer Discovery Protocol on page 3 217 for more information on LLDP Priority Defines a CoS priority for port traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Web Click QoS VoIP Traffic Setting Port Configuration Set the mode for a VoIP traffic port select the detection mechanism...

Page 305: ... the first three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF FF FF 00 00 00 Description User defined text that identifies the VoIP devices Console config interface ethernet 1 2 Console config if switchport voice vlan auto 4 282 Console config if switchport voice vlan security 4 283 Console config if switchport voice vlan r...

Page 306: ...then click Add Figure 3 142 Telephony OUI List CLI This example adds an identifier to the list then displays the current list Console config voice vlan mac address 00 e0 bb 00 00 00 mask ff ff ff 00 00 00 description old phones 4 281 Console config exit Console show voice vlan oui 4 285 OUIAddress Mask Description 00 e0 bb 00 00 00 FF FF FF 00 00 00 old phones 00 11 22 33 44 55 FF FF FF 00 00 00 n...

Page 307: ...r the ports that want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by the switch In this case Layer 2 IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service IGMP Query thereby identifies the ports containing hosts...

Page 308: ...d In this case traffic is filtered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the swi...

Page 309: ...able is already full the switch will continue flooding the traffic into the VLAN IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagate...

Page 310: ...the interface which had been receiving query packets to have expired Range 300 500 seconds Default 300 IGMP Version Sets the protocol version for compatibility with other devices on the network Range 1 3 Default 2 Notes 1 All systems on the subnet must support the same version 2 Some attributes are only enabled for IGMPv2 and or v3 including Act as IGMP Querier IGMP Report Delay and IGMP Query Tim...

Page 311: ...ted to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used Immediate leave does not apply to a port if the switch has learned that a multicast router is attached to...

Page 312: ...oss the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discov...

Page 313: ... if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your switch you can manually configure the interface and a specified VLAN to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch Command Attributes Interface Activa...

Page 314: ...hin VLAN 1 Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service Command Attributes VLAN ID Selects the VLAN for which to display port members Range 1 4094 Multicast IP Address The IP address for a specific multicast service Multicast Group Port List Shows the interfaces that have already been assigned to the selected ...

Page 315: ...cribed in Configuring IGMP snooping and Query Parameters on page 3 133 For certain applications that require tighter control you may need to statically configure a multicast service on the switch First add all the ports attached to participating hosts to a common VLAN and then assign the multicast service to that VLAN group Command Usage Static multicast addresses are never aged out When a multica...

Page 316: ...P TV service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a port can join IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port A...

Page 317: ...iltering and throttling on the switch you must first enable the feature globally and create IGMP profile numbers Command Attributes IGMP Filter Enables IGMP filtering and throttling globally for the switch Default Disabled IGMP Profile Creates IGMP profile numbers Range 1 4294967295 Web Click IGMP Snooping IGMP Filter Configuration Create a profile group by entering a number in the text box and cl...

Page 318: ...configuration Access Mode Sets the access mode of the profile either permit or deny Default Deny New Multicast Address Range List Specifies multicast groups to include in the profile Specify a multicast group range by entering a start and end IP address Specify a single multicast group by entering the same IP address for the start and end of the range Click the Add button to add a range to the cur...

Page 319: ...IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can join at the same time Range 0 256 Default 256 Current Multicast Groups Di...

Page 320: ...rrent IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 4 188 Console config if ip igmp filter 19 4 337 Console config if ip igmp max groups 64 4 338 Console config if ip igmp max groups action deny 4 338 Console config if end Console show ip igmp filter interface ethernet 1 1 4 339 Information of Eth 1 1 IGMP Profile 19 permit range ...

Page 321: ...ups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will stream traffic to attached hosts see Configuring Global MVR Settings on page 3 266 2 Set the interfaces that will join...

Page 322: ...receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as membe...

Page 323: ...o the MVR VLAN Field Attributes Type Shows the MVR port type Oper Status Shows the link status MVR Status Shows the MVR status MVR status for source ports is ACTIVE if MVR is globally enabled on the switch MVR status for receiver ports is ACTIVE only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Imm...

Page 324: ...ou can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration Field Attributes Group IP Multicast groups assigned to the MVR VLAN Group Port List Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Console show mvr interface 4 344 Port Type Status Immediate Leave eth1 1 SOURCE ACTIVE UP Disable eth1 2 RECEIV...

Page 325: ...ssociated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 344 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console ...

Page 326: ...ch have been statically assigned see Assigning Static Multicast Groups to Interfaces on page 3 271 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a...

Page 327: ...iver port and then enables immediate leave on the receiver port Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts you can statically bind the multicast group to the participating interfaces Command Usage Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configurat...

Page 328: ...hows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface Web Click MVR Group Member Configuration Select a port or trunk from the Interface field and click Query to display the assigned multicast groups Select a multicast address from the displayed lists and click the Add or Remove button to modify the Member list Figure 3 156 MVR Group M...

Page 329: ...he management station There can be up to 100 candidates and 36 member switches in one cluster A switch can only be a member of one cluster After the Commander and Members have been configured any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu To connect to the Member switch from the Commander CLI prompt use the rcommand see...

Page 330: ...able to become Members Web Click Cluster Configuration Figure 3 158 Cluster Configuration CLI This example first enables clustering on the switch sets the switch as the cluster Commander and then configures the cluster IP pool Configuring Cluster Members Use the Member Configuration page to add Candidate switches to the cluster as Members Command Attributes Member ID Specify a Member ID number for...

Page 331: ...ter Member switches Command Attributes Member ID The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Console config cluster member mac address 00 12 34 56 78 ...

Page 332: ... already cluster Members or are available to become cluster Members Command Attributes Role Indicates the current status of Candidate switches in the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 161 Cluster Candidate Information Vty 0 show cluster members 4 77 Cluster M...

Page 333: ...the device in the discovery message After a control point has retrieved a description of the device it can send actions to the device s service To do this a control point sends a suitable control message to the control URL for the service provided in the device description When a device is known to the control point periodic event notification messages are sent A UPnP description for a service inc...

Page 334: ...agement interface or select Properties to display a list of device attributes advertised by the switch through UPnP UPnP Configuration Use the UPnP Configuration page to enable or disable UPnP and to set advertisement and time out values Command Attributes UPNP Status Enables disables UPnP on the device Default Disabled Advertising Duration This sets the duration of which a device will advertise i...

Page 335: ...e TTL to 6 and displays information about basic UPnP configuration Console config upnp device 4 78 Console config upnp device advertise duration 200 4 79 Console config upnp device ttl 6 4 78 Console config end Console sh upnp 4 79 UPnP global settings Status Enabled Advertise duration 200 TTL 6 Console ...

Page 336: ...Configuring the Switch 3 280 3 This page is intentionally left blank ...

Page 337: ... the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal ac...

Page 338: ...ed network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty n promp...

Page 339: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 340: ... lldp LLDP log Login records logging Logging setting mac MAC access list mac address table Shows the MAC address table management Show management information map Maps priority memory Memory utilization mvr Shows MVR global parameters network access Shows the entries of the secure port ntp Network Time Protocol configuration policy map Displays policy maps port Port characteristics power Show power...

Page 341: ...sing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands Understanding Command Modes The command set is divided into Exec and Configuration classes Exec commands generally display information on system status or clear statistical counters Configuratio...

Page 342: ... Exec mode from within Normal Exec mode by entering the enable command followed by the privileged level password super page 4 102 To enter Privileged Exec mode enter the following user names and passwords Table 4 1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database You must b...

Page 343: ... multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces VLAN Configuration Includes the command to create VLAN groups To enter the Global Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configuration commands To enter the othe...

Page 344: ... config Table 4 3 Command Line Processing Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats cur...

Page 345: ...s filtering for IP frames based on address protocol or TCP UDP port number or TCP control code or non IP frames based on MAC address or Ethernet type 4 176 Interface Configures the connection parameters for all Ethernet ports aggregated links and VLANs 4 188 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 4 ...

Page 346: ...ress for the switch 4 347 Table 4 5 General Commands Command Function Mode Page enable Activates privileged mode NE 4 11 disable Returns to normal mode from privileged mode PE 4 11 configure Activates global configuration mode PE 4 12 show history Shows the command history buffer NE PE 4 12 reload Restarts the system PE 4 13 show reload Displays the time remaining until a delayed reset will take p...

Page 347: ...rivileged Exec To set this password see the enable password command on page 4 102 The character is appended to the end of the prompt to indicate that the system is in privileged access mode Example Related Commands disable 4 11 enable password 4 102 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s con...

Page 348: ...ration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration See Understanding Command Modes on page 4 5 Default Setting None Command Mode Privileged Exec Example Related Commands end 4 15 show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is...

Page 349: ...onfigured delayed reset Syntax reload in hour hours minute minutes minute minutes cancel hours Specifies the amount of hours to wait combined with the minutes before the switch resets Range 0 576 Default 0 minutes Specifies the amount of minutes to wait combined with the hours before the switch resets Range 1 34560 Default 0 cancel Cancels a pending delayed reset Note When the system is restarted ...

Page 350: ...nd displays the remaining time until a pending delayed reset will take place Syntax show reload Default Setting None Command Mode Privileged Exec Example This example shows how to display the remaining time until a configured delayed reset of the switch will take place prompt This command customizes the CLI prompt Use the no form to restore the default prompt Syntax prompt string no prompt string ...

Page 351: ... how to return to the Privileged Exec mode from the Interface Configuration mode exit This command returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config prompt RD2 RD2 config Console config ...

Page 352: ...nistrative contact device identification and location 4 18 System Status Displays system configuration active managers and version information 4 27 Frame Size Enables support for jumbo frames 4 33 File Management Manages code image or switch configuration files 4 34 Line Sets communication parameters for the serial port including baud rate and console time out 4 40 Event Logging Controls logging o...

Page 353: ...t access via a web browser 4 123 Telnet Server Enables management access via Telnet 4 126 Secure Shell Provides secure replacement for Telnet 4 127 Table 4 7 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 4 14 hostname Specifies the host name for the switch GC 4 17 snmp server contact Sets the system contact string GC 4 88 snmp server ...

Page 354: ...pany information that is displayed by the banner GC 4 19 banner configure dc power info Configures DC Power information that is displayed by the banner GC 4 20 banner configure department Configures Department information that is displayed by the banner GC 4 21 banner configure equipment info Configures Equipment information that is displayed by the banner GC 4 21 banner configure equipment locati...

Page 355: ...information displayed in the banner Use the no form to restore the default setting Syntax banner configure company name no banner configure company name The name of the company Maximum length 32 characters Console config banner configure Company Samsung Corporation Responsible department R D Dept Name and telephone to Contact the management people Manager1 name Sr Network Admin phone number 123 55...

Page 356: ... id rack rack id electrical circuit ec id no banner configure dc power info floor row rack electrical circuit floor id The floor number row id The row number rack id The rack number ec id The electrical circuit ID Maximum length of each parameter 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure dc power info...

Page 357: ...suggested for situations where white space is necessary for clarity Example banner configure equipment info This command is used to configure the equipment information displayed in the banner Use the no form to restore the default setting Syntax banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure e...

Page 358: ...re equipment location location no banner configure equipment location location The address location of the device Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter char...

Page 359: ...ive non letter characters is suggested for situations where white space is necessary for clarity Example banner configure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting Syntax banner configure lp number lp num no banner configure lp number lp num The LP number Maximum length 32 characters Default Setting ...

Page 360: ...umber The phone number of the second manager mgr3 name The name of the third manager mgr3 number The phone number of the third manager Maximum length of each parameter 32 characters Default Setting None Command Mode Global Configuration Command Usage Maximum string length for each command attribute is 32 characters The banner configure manager info command interprets spaces as data input boundarie...

Page 361: ...ces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example banner configure note This command is used to configure the note displayed in the banner Use the no form to restore the default setting Syntax banner configure note note info no banner configure note note info Miscellaneous ...

Page 362: ... note ROUTINE_MAINTENANCE_firmware upgrade_0100 0500_GMT 0500_20071022 _20min_network_impact_expected Console config Console show banner Samsung_Corporation WARNING MONITORED ACTIONS AND ACCESSES R D_Dept Albert_Einstein 123 555 1212 Wile_E _Coyote 123 555 9876 Lamar 123 555 3322 Station s information 710_Network_Path Indianapolis Samsung_Corporation iES4024GP Floor Row Rack Sub Rack 7 10 15 6 DC ...

Page 363: ...er settings 802 1Q tunnel settings Power over Ethernet settings Broadcast storm control settings SNMP community strings Users names and access levels Event log settings VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for the switch Table 4 9 System Status Commands Command Function Mode Pa...

Page 364: ... 1 snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active vlan 4093 media ethernet st...

Page 365: ...is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information Switch s MAC address SNTP and NTP server settings 802 1Q tunnel settings Power over Ethernet settings Broadcast storm control settings SNMP community strings Users names and access levels Event log settings VLAN database VLAN ID name and state VLAN configur...

Page 366: ...mmunity private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active vlan 4093 media ethernet state active spanning tree mst configuration interf...

Page 367: ...ed Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Console show system System Description L2 Gigabit Ethernet PoE Standalone Switch System OID String 1 3 6 1 4 1 236 4 1 12 1 103 System Information System Up Time 0 days 0 hours 1 minutes and 32 18 seconds System Name NONE System Location NONE System Contact NONE MAC Add...

Page 368: ...ic Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168 1 19 Web online users Line Remote IP addr Username Idle time h m s 1 HTTP 192 168 1 19 admin 0 00 00 Console Console show version Unit1 Serial Number S416000937 Hardware Version R01 EPLD Version 0 02 Number...

Page 369: ...ta transfers by supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connect...

Page 370: ...startup file Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from a TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly...

Page 371: ...ftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword that allows you to copy a SSH key from a TFTP server Secure Shell Commands on page 4 127 Default Setting None Command Mode Privileged Exec Command Usage The system prompts for data required to complete the copy command The destination file nam...

Page 372: ...erver The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name V1 0 0 5 bix Destination file name V1 0 0 5 bix Write to FLASH Programming Write to FLASH finish S...

Page 373: ...ation file or image name Command Mode Privileged Exec Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file ...

Page 374: ...includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image Default Setting None Command Mode Privileged Exec Command Usage If you enter the command dir without any parameters the system displays all files File information is shown below Console delete test2 cfg Console Table 4 ...

Page 375: ...e The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or code image The colon is required Default Setting None File name File type Startup Size byte Unit1 diag bix Boot Rom Image N 1377600 iES4024GP_bootrom_V1 0 0 10 bix Boot Rom Image Y 1398712 iES4024GP_V1 1 0 14 bix Operation Co...

Page 376: ...ecifies a password on a line LC 4 42 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 43 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 4 44 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 44 silent time Sets the amount of time the managem...

Page 377: ...in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 4 48 show users 4 31 login This command enables password checking at login Use the no form to disable password checking and allow connections without a password Syntax login local no...

Page 378: ...nd controls login authentication via the switch itself To configure user names and passwords for remote authentication servers you must use the RADIUS or TACACS software installed on those servers Example Related Commands username 4 101 password 4 42 password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means p...

Page 379: ...aits for a user to log into the CLI Use the no form to restore the default Syntax timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled Default Setting CLI Disabled 0 seconds Telnet 600 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connect...

Page 380: ...n is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 45 timeout login response 4 13 password thresh This command sets the ...

Page 381: ...his command Related Commands silent time 4 45 timeout login response 4 13 silent time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable co...

Page 382: ...and can be used to mask the high bit on input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Related Commands parity 4 46 parity This command defines the generation of a parity bit Use the no form to restore the default sett...

Page 383: ...ond Options 9600 19200 38400 bps Default Setting 9600 Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 38400 bps enter this command stopbits This command sets...

Page 384: ...leged Exec Command Usage Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 134 show users 4 31 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for re...

Page 385: ...e 9600 Databits 8 Parity none Stopbits 1 VTY configuration Password threshold 3 times Interactive timeout 600 sec Login timeout 300 sec console Table 4 14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 49 logging history Limits syslog messages saved to switch memory based on severity GC 4 50 logging host Adds a syslog server host IP address tha...

Page 386: ...evel no logging history flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Console config logging on Console config Table 4 15 Logging Levels Level Severity Name Description 7 debugging Debugging m...

Page 387: ...st_ip_address The IP address of a syslog server Default Setting None Command Mode Global Configuration Command Usage Use this command more than once to build up a list of host IP addresses The maximum number of host IP addresses allowed is five Example logging facility This command sets the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax...

Page 388: ... remote server based on severity Use this command without a specified level to enable remote logging Use the no form to disable remote logging Syntax logging trap level no logging trap level One of the level arguments listed below Messages sent include the selected level up through level 0 Refer to the table on page 4 50 Default Setting Enabled Level 7 0 Command Mode Global Configuration Command U...

Page 389: ... displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog server Syntax show logging flash ram sendmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM i e memory flushed on power reset sendmail Displays settings for th...

Page 390: ...The message level s reported based on the logging history command Console show logging trap Syslog logging Enable REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 Conso...

Page 391: ...uding the time stamp message level page 4 50 program module function and event number Example The following example shows sample messages stored in RAM Console show log ram 5 00 01 06 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 4 00 01 00 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change n...

Page 392: ...on To open a connection the switch first selects the server that successfully sent mail during the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in the list and tries to send mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully op...

Page 393: ...ample This example will send email alerts for system errors from level 4 through 0 logging sendmail source email This command sets the email address used for the From field in alert messages Use the no form to delete the source email address Syntax no logging sendmail source email email address email address The source email address used in alert messages Range 0 41 characters Default Setting None...

Page 394: ...u can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example logging sendmail This command enables SMTP event handling Use the no form to disable this function Syntax no logging sendmail Default Setting Enabled Command Mode Global Configuration Example show logging sendmail This command displays the settings for the SMTP event h...

Page 395: ...interval at which the client polls for time GC 4 61 show sntp Shows current SNTP configuration settings NE PE 4 62 NTP Commands ntp client Enables the NTP client for time updates from specified servers GC 4 62 ntp server Specifies NTP servers to poll for time updates GC 4 63 ntp poll Sets the interval at which the NTP client polls for time GC 4 64 ntp authenticate Enables authentication for NTP tr...

Page 396: ...servers command It issues time synchronization requests based on the interval set via the sntp poll command SNTP and NTP clients cannot both be enabled at the same time Example Related Commands sntp server 4 61 sntp poll 4 61 show sntp 4 62 clock summertime recurring Configures summer time daylight savings time for the switch s internal clock GC 4 70 calendar set Sets the system date and time PE 4...

Page 397: ...for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 60 sntp poll 4 61 show sntp 4 62 sntp poll This command sets the interval between sending time requests when the switch is set to SNT...

Page 398: ...specified with the ntp servers command Use the no form to disable NTP client requests Syntax no ntp client Default Setting Disabled Command Mode Global Configuration Command Usage SNTP and NTP clients cannot be enabled at the same time First disable the SNTP client before using this command The time acquired from time servers is used to record accurate dates and times for log events Without NTP th...

Page 399: ...The number of an authentication key to use in communications with the server Range 1 65535 Default Setting Version number 3 Command Mode Global Configuration Command Usage This command specifies time servers that the switch will poll for time updates when set to NTP client mode It issues time synchronization requests based on the interval set with the ntp poll command The client will poll all the ...

Page 400: ...ault Setting 16 seconds Command Mode Global Configuration Example Related Commands ntp client 4 62 ntp authenticate This command enables authentication for NTP client server communications Use the no form to disable authentication Syntax no ntp authenticate Default Setting Disabled Command Mode Global Configuration Console config ntp server 192 168 3 20 Console config ntp server 192 168 3 21 Conso...

Page 401: ...authentication key number number The NTP authentication key ID number Range 1 65535 md5 Specifies that authentication is provided by using the message digest algorithm 5 key An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces Default Setting None Command Mode Global Configuration Command Usage The key number specifies a key value in t...

Page 402: ...sole config Console show ntp Current time Jan 1 02 58 58 2001 Poll interval 16 Current mode unicast NTP status Enabled NTP Authenticate status Enabled Last Update NTP Server 0 0 0 0 Port 0 Last Update time Dec 31 00 00 00 2000 UTC NTP Server 192 168 3 20 version 3 NTP Server 192 168 3 21 version 3 NTP Server 192 168 3 22 version 2 NTP Server 192 168 4 50 version 3 key 30 NTP Server 192 168 5 35 ve...

Page 403: ...cal time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Related Commands show sntp 4 62 clock timezone This command sets the time zone for t...

Page 404: ...e hour e minute offset no clock summer time name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters b month The month when summer time will begin Options january february march april may june july august september october november december b day The day summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b year The year...

Page 405: ...gured time zone To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time time zone deviates from your regular time zone Example Related Commands show sntp 4 62 clock summer time predefined This command configures the summer time daylight savings time status and settings for the switch using predefined configurations f...

Page 406: ...for the switch on a recurring basis Use the no form to disable summer time Syntax clock summer time name recurring b week b day b month b hour b minute e week e day e month e hour e minute offset no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters b week The week of the month when summer time will begin Range 1 5 b day The day of t...

Page 407: ...r time zone in minutes Range 0 99 minutes Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted bac...

Page 408: ... format Range 0 23 min Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Co...

Page 409: ...selected by the administrator through the management station Note Cluster Member switches can be managed either through a Telnet connection to the Commander or through a web management connection to the Commander When using a console connection from the Commander CLI prompt use the rcommand see page 4 76 to connect to the Member switch cluster This command enables clustering on the switch Use the ...

Page 410: ...ters are maintained across power resets and network changes Example cluster commander This command enables the switch as a cluster Commander Use the no form to disable the switch as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers other cluste...

Page 411: ...n 1 and 36 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander You cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Example cluster member This command c...

Page 412: ...nder switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to the Member switch CLI Example show cluster This command shows the switch clustering configuration Command Mode Privileged Exec Example Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config Vty 0 rcommand id 1 ...

Page 413: ... device basic information about this switch can be displayed and the web management interface accessed Note UPnP is currently only supported by this switch for Windows Vista but will supported for Windows XP in future releases Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description Ubigate iES4024GP Switch Console Conso...

Page 414: ...abled on the device Related Commands upnp device ttl 4 78 upnp device advertise duration 4 79 upnp device ttl This command sets the time to live TTL value for sending of UPnP messages from the device Syntax upnp device ttl value value The number of router hops a UPnP packet can travel before it is discarded Range 1 255 Default Setting 4 Command Mode Global Configuration Command Usage UPnP devices ...

Page 415: ...00 seconds Default Setting 100 seconds Command Mode Global Configuration Example In the following example the device advertise duration is set to 200 seconds Related Commands upnp device ttl 4 78 show upnp This command displays the UPnP management status and time out settings Command Mode Privileged Exec Example Console config upnp device ttl 6 Console config Console config upnp device advertise d...

Page 416: ...sabled Command Mode Privileged Exec Command Usage Use the debug dot1x command without any classification or feature to enable debugging for all 802 1X authentication processes Use the debug dot1x all command to enable debugging for all of the classification options i e config database event and packet Use the debug dot1x classification show feature command to enable debugging for the specified cla...

Page 417: ...t is received from a supplicant Console debug dot1x packet Console debug dot1x show packet Console 01 02 03 DOT1X pkt Sent an EAP packet code req id 1 length 5 type identity identity 1xuser 01 02 03 DOT1X pkt Sent an EAP packet code req id 1 length 22 type md5 name 1xuser 01 02 03 DOT1X pkt Sent an EAP packet code succ id 1 length 4 01 02 03 DOT1X pkt Sent an EAP packet code failure id 1 length 4 ...

Page 418: ...ormation on authentication processes authorization Displays information on authorization processes Default Setting Disabled 01 02 03 DOT1X event pae sm State changing on port 1 1 from initialize to disconnected 01 02 03 DOT1X event pae sm State changing on port 1 1 from disconnected to connecting 01 02 03 DOT1X event pae sm State changing on port 1 1 from connecting to timeout 01 02 03 DOT1X event...

Page 419: ...cation detailed debug messages will be shown when the switch sends or receives a RADIUS packet Use the debug radius show command to show debug messages for the selected process type Example When the debug packet option is selected messages similar to those shown below are displayed when a RADIUS request packet is sent Console debug radius packet Console debug radius show packet Console 01 02 03 RA...

Page 420: ...es authentication Displays information on authentication processes authorization Displays information on authorization processes Default Setting Disabled Command Mode Privileged Exec Command Usage Use the debug tacacs command without any classification or feature to enable debugging for all TACACS processes Use the debug radius all command to enable debugging for all of the classification options ...

Page 421: ...n is selected messages similar to those shown below are displayed when a TACACS authentication cont control packet is sent Console debug tacacs packet Console debug tacacs show packet Console 01 02 03 TACACS pkt authen Sent a start packet ver 12 0 type authen seq_no 10 flag clear sess_id 20 01 02 03 TACACS avpair authen act login priv 15 type ascii service login user user1 port tty10 addr 01 02 03...

Page 422: ...the server Syntax no snmp server Default Setting Enabled Command Mode Global Configuration Table 4 23 SNMP Commands Command Function Mode Page snmp server Enables the SNMP agent GC 4 86 show snmp Displays the status of SNMP communications NE PE 4 87 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 88 snmp server contact Sets the system contact string...

Page 423: ...ig snmp server Console config Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of...

Page 424: ... stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configuration Example snmp server contact This command sets the system contact string Use the no form to r...

Page 425: ...he no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server contact 4 88 Console config snmp server location WC 19 Console config ...

Page 426: ...NMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string using the snmp server community command prior to using the snmp server host command Maximum length 32 characters version Specifies whether to send notifications as SNMP Version 1 2c or 3 traps Range 1 2c 3 Default 1 auth noauth priv This group uses SNMPv3 with...

Page 427: ...on 4 Create a view with the required notification messages page 4 94 5 Create a group that includes the required notify view page 4 96 To send an inform to a SNMPv3 host complete these steps 1 Enable the SNMP agent page 4 86 2 Allow the switch to send SNMP traps i e notifications page 4 92 3 Specify the target host that will receive inform messages with the snmp server host command as described in...

Page 428: ...otifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only the notification type related to that keyword is enabled The snmp server enable traps command is used in conjunction with the snmp server host command Use the snmp server host ...

Page 429: ... and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 4 90 The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You t...

Page 430: ... the OID string Refer to the examples included Defines an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engineBoots 1 Remote SNMP engineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 24 sh...

Page 431: ...ample Console config snmp server view mib 2 1 3 6 1 2 1 included Console config Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name defaultview S...

Page 432: ...ines the view for write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Default Setting Default groups public23 read only private24 read write readview Every object belonging to the Internet OID space 1 3 6 1 writeview Nothing is defined notifyview Nothing is defined Command Mode Global Configuration Command Usage A group sets the access policy for the assigned...

Page 433: ...tive Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status ...

Page 434: ...on 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy passwor...

Page 435: ...e user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Example show snmp user This command shows information on SNMP users Command Mode Privileged Exec Example Console config snmp ser...

Page 436: ...tatus The row status of this entry SNMP remote user A user associated with an SNMP engine on a remote device Table 4 28 Authentication Commands Command Group Function Page User Accounts Configures the basic user names and passwords for management access 4 100 Authentication Sequence Defines logon authentication method and precedence 4 103 RADIUS Client Configures settings for authentication via a ...

Page 437: ...8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Command Mode Global Configuration Command Usage Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Level 8 provide...

Page 438: ...s plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command page 4 11 The encrypted password is required for compatibility with legacy password setti...

Page 439: ...st packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence F...

Page 440: ...so note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication met...

Page 441: ...UDP port used for authentication messages Range 1 65535 acct_port RADIUS server UDP port used for accounting messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon access for client...

Page 442: ... Global Configuration Example radius server acct port This command sets the RADIUS server network port for accounting messages Use the no form to restore the default Syntax radius server acct port port_number no radius server acct port port_number RADIUS server UDP port used for accounting messages Range 1 65535 Default Setting 1813 Command Mode Global Configuration Example Console config radius s...

Page 443: ...ackets sent to the server It may be necessary for certain AAA processes to configure the attribute 4 field to an address other than that of the switch s connecting interface However setting this field to an address other than that of the actual interface connecting the switch to the RADIUS server will not affect the IP address used inside the IP headers of RADIUS packets sent from the switch Some ...

Page 444: ...d Mode Global Configuration Example radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mo...

Page 445: ...Server Configuration Global Settings Authentication Port 1812 Accounting Port 1813 Retransmit Times 2 Request Timeout 5 seconds Attributes NAS IP Address 4 192 168 1 1 Server 1 Server IP Address 10 1 2 3 Authentication Port 1812 Accounting Port 1813 Retransmit Times 2 Request Timeout 5 seconds Radius server group Group Name Member Index radius 1 Console Table 4 33 TACACS Commands Command Function ...

Page 446: ...540 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 26 characters Default Setting port 49 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS...

Page 447: ...Command Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tacacs server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example ...

Page 448: ...server Use the no form to restore the default Syntax tacacs server timeout number_of_seconds no tacacs server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 540 Default Setting 5 seconds Command Mode Global Configuration Example Console config tacacs server timeout 10 Console config ...

Page 449: ...mple Console show tacacs server Remote TACACS server configuration Global Settings Communication Key with TACACS Server Server Port Number 49 Retransmit Times 2 Request Times 5 Server 1 Server IP address 192 168 1 25 Communication key with TACACS server Server port number 49 Retransmit Times 2 Request Times 5 Tacacs server group Group Name Member Index tacacs 1 Console ...

Page 450: ... Function Mode Page aaa group server Groups security servers in to defined lists GC 4 114 server Configures the IP address of a server in a group list SG 4 115 aaa accounting dot1x Enables accounting of 802 1X services GC 4 116 aaa accounting exec Enables accounting of Exec services GC 4 117 aaa accounting commands Enables accounting of Exec mode commands GC 4 118 aaa accounting update Enables per...

Page 451: ... server Default Setting None Command Mode Server Group Configuration Command Usage When specifying the index for a RADIUS server that server index must already be defined by the radius server host command see page 4 105 When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command see page 4 110 Example Console config aaa group server rad...

Page 452: ... use radius Specifies all RADIUS hosts configure with the radius server host command described on page 4 105 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 110 server group Specifies the name of a server group configured with the aaa group server command described on 4 114 Range 1 255 characters Default Setting Accounting is not enabled No serve...

Page 453: ...h the radius server host command described on page 4 105 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 110 server group Specifies the name of a server group configured with the aaa group server command described on 4 114 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration C...

Page 454: ... point group Specifies the server group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 110 server group Specifies the name of a server group configured with the aaa group server command described on 4 114 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usa...

Page 455: ...accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accounting on the interface Syntax accounting dot1x default list name no accounting dot1x def...

Page 456: ... an accounting method to entered CLI commands Use the no form to disable accounting for entered commands Syntax accounting commands level default list name no accounting commands level level The privilege level for executing commands Range 0 15 default Specifies the default method list created with the aaa accounting commands command page 4 118 list name Specifies a method list created with the aa...

Page 457: ... 4 110 server group Specifies the name of a server group configured with the aaa group server command described on 4 114 Range 1 255 characters Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage This command performs authorization to determine if a user is allowed to run an Exec shell AAA authentication must be enabled before autho...

Page 458: ...er port Syntax show accounting commands level dot1x statistics username user name interface interface exec statistics statistics commands Displays accounting information for CLI commands level Displays accounting information for CLI commands entered at the specified privilege level Range 0 15 dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays acco...

Page 459: ...terface Range 1 65535 Default Setting 80 Console show accounting Accounting type dot1x Method list default Group list radius Interface Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console Table 4 34 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC...

Page 460: ...and Mode Global Configuration Example Related Commands ip http port 4 123 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Config...

Page 461: ...ozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 78 Also refer to the copy command on page 4 35 Example Related Commands ip http secure port 4 125 copy tftp https certificate 4 35 ip http secure port This command specifies the UDP port number used...

Page 462: ...ifies the TCP port number used by the Telnet interface Use the no form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server En...

Page 463: ... Console config ip telnet server Console config ip telnet server port 123 Console config Table 4 37 SSH Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 129 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 130 ip ssh authentication retries Specifies the number of retries allowed by a client GC 4 131 ip ssh server key size Sets t...

Page 464: ... the User Accounts page as described on page 3 58 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631...

Page 465: ...ivate key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable b If the specified algorithm is supported by the switch it notifies the client to proceed with the authentication process Otherwise it rejects the request c The c...

Page 466: ... the default setting Syntax ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH negotiation Range 1 120 Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user...

Page 467: ...iguration Example Related Commands show ip ssh 4 134 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never ...

Page 468: ... rsa RSA Version 1 key type Default Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must...

Page 469: ... the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Related Commands ip ssh crypto host key generate 4 132 ip ssh save host key 4 133 no ip ssh server 4 129 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host ke...

Page 470: ...key dsa Console Console show ip ssh SSH Enabled version 1 99 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username Encryption 0 2 0 Session Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console Table 4 38 show ssh display description Field Description Session The session number Range 0 3 Version T...

Page 471: ...sed by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1...

Page 472: ...A ssh dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw Kjw6Bm iFq7O jAhf1Dg45loAc27s6TLdtny...

Page 473: ...hat the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 4 138 dot1x port control Sets dot1x mode for a port interface IC 4 138 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 139 dot1x re authenticate Forces re authentication on specific ports PE 4 140 dot1x re authentication Enables re authentication for ...

Page 474: ...and Mode Interface Configuration Example dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Conf...

Page 475: ... Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 138 In multi host mode only one host connected to a port needs...

Page 476: ...d to the Guest VLAN see dot1x intrusion action on page 4 142 Example dot1x re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server Du...

Page 477: ...umber of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configuration Console con...

Page 478: ...ed authentication either to block all traffic or to assign all traffic for the port to a guest VLAN Use the no form to reset the default Syntax dot1x intrusion action block traffic guest vlan no dot1x intrusion action Default block traffic Command Mode Interface Configuration Command Usage For guest VLAN assignment to be successful the VLAN must be configured and set as active vlan database on pag...

Page 479: ...trative state for port access control Operation Mode Dot1x port control operation mode page 4 139 Mode Dot1x port control mode page 4 138 Authorized Authorization status yes or n a not authorized 802 1X Port Details Displays the port access control parameters for each interface including the following items reauth enabled Periodic re authentication page 4 140 reauth period Time after which a conne...

Page 480: ...the current authentication session Intrusion action Shows whether the switch will block all non EAP traffic or assign traffic on the port to a guest VLAN if authentication fails Authenticator State Machine State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is r...

Page 481: ...02 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 12 cf 49 5e dc Current Identifier 3 Intrusion action Guest VLAN Authenticator State Machine State Authenticated Reauth...

Page 482: ...gement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the...

Page 483: ...nmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config Console show management all client Management IP Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 ...

Page 484: ...vate VLANs Configures private VLANs including uplink and downlink ports 4 271 Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 4 149 Port Authentication Configures host authentication on specific ports using 80...

Page 485: ...se the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violat...

Page 486: ... sets the response to a security violation to issue a trap message Related Commands shutdown 4 195 mac address table static 4 222 show mac address table 4 224 Network Access MAC Address Authentication Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is f...

Page 487: ... assignment from a RADIUS server IC 4 153 network access guest vlan Specifies the guest VLAN IC 4 154 mac authentication reauth time Sets the time period after which a connected MAC address must be re authenticated GC 4 155 mac authentication intrusion action Determines the port response when a connected host fails MAC authentication IC 4 155 mac authentication max mac count Sets a maximum for mac...

Page 488: ...r of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port Static addresses are treated as authenticated without sending a request to a RADIUS server MAC authentication 802 1X and port security cannot be configured together on the same port Only one security mechanism can be applied MAC authenti...

Page 489: ...upported for the switch system is 1024 When the limit is reached all new MAC addresses are treated as authentication failed Example network access dynamic vlan Use this command to enable dynamic VLAN assignment for an authenticated port Use the no form to disable dynamic VLAN assignment Syntax no network access dynamic vlan Default Setting Enabled Command Mode Interface Configuration Command Usage...

Page 490: ...rt to a guest VLAN when network access MAC authentication or 802 1x authentication is rejected Use the no form of this command to disable guest VLAN assignment Syntax network access guest vlan vlan id no network access guest vlan vlan id VLAN ID Range 1 4094 Default Setting Disabled Command Mode Interface Configuration Command Usage The VLAN to be used as the guest VLAN must be defined and set as ...

Page 491: ...l ports When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Example mac authentication intrusion action Use this command to configure the port response to a host MAC authentication failure Use the no form of this command to restore the default Syntax mac authenti...

Page 492: ...le clear network access Use this command to clear entries from the secure MAC addresses table Syntax clear network access mac address table static dynamic address mac address interface interface static Specifies static address entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx xx xx interface Specifies a port interface ethernet unit port ...

Page 493: ...ber Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Default Setting Displays the settings for all interfaces Command Mode Privileged Exec Example Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 1800 Port 1 1 MAC Authentication Disabled MAC Authentication Intrusion action Block traffic MAC Authentication Maximum MAC Counts 1024 Maximum MAC ...

Page 494: ...S4028FP 1 24 on iES4024GP sort Sorts displayed entries by either MAC address or interface Default Setting Displays all filters Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 ...

Page 495: ...imit is reached the switch refuses further login attempts until the quiet time expires Use the no form to restore the default Syntax web auth login attempts count no web auth login attempts count The limit of allowed failed login attempts Range 1 3 Table 4 44 Web Authentication Command Function Mode Page web auth login attempts Defines the limit for failed web authentication login attempts GC 4 15...

Page 496: ...nge 1 180 seconds Default Setting 60 seconds Command Mode Global Configuration Example web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data is transmitted Use the no form to restore the default Syntax web auth session timeout tim...

Page 497: ...an interface must be enabled for the web authentication feature to be active Example web auth This command enables web authentication for a port Use the no form to restore the default Syntax no web auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web auth system auth control for the switch and web auth for a port must be enabled for the web authentication featu...

Page 498: ...le web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate Syntax web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP ip IPv4 formatted IP address Default Set...

Page 499: ...rs and statistics Syntax show web auth interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP Default Setting None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds Console show web auth Global Web Auth Parameters System Auth Co...

Page 500: ...aining Session Time 1 1 1 1 Authenticated 295 1 1 1 2 Authenticated 111 Console Console show web auth summary Global Web Auth Parameters System Auth Control Enabled Port Status Authenticated Host Count 1 1 Disabled 0 1 2 Enabled 8 1 3 Disabled 0 1 4 Disabled 0 1 5 Disabled 0 Table 4 45 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 165 ip dhc...

Page 501: ...d interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identifier When DHCP snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dropped Filtering rules are implemented as follows If global DHCP snooping is disabled all DHCP packets are for...

Page 502: ...C address in the Ethernet header If the DHCP packet is not a recognizable type it is dropped If a DHCP packet from a client passes the filtering criteria above it will only be forwarded to trusted ports in the same VLAN If a DHCP packet from a server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally disabled all...

Page 503: ...n the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled configuration changes for specific VLANs have the following effects If DHCP snooping is disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding tabl...

Page 504: ...e default status or as specifically configured for an interface with the no ip dhcp snooping trust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Additional considerations when the switch itself is a DHCP client The port s through which it submits a client request to the DHCP server must be configured as trus...

Page 505: ...Option 82 it allows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients When the DHCP Snooping Information Option is enabled the requesting client or an intermediate relay agent that has used the information fields to describe itself can be identified in the DHCP request packets forwarded by the switch and in reply packets sen...

Page 506: ...ode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information the switch can be configured to set the action policy for these packets The switch can either drop the DHCP packets keep the existing information or replace it with the switch s relay information Example ip dhcp snooping database flash This command writes all dy...

Page 507: ...Mode Privileged Exec Example Console config ip dhcp snooping database flash Console config Console config ip dhcp snooping database flash Console config Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interf...

Page 508: ...fault Setting Disabled Command Mode Interface Configuration Ethernet Command Usage Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source guard mode to sip or sip mac enables this function on the selected port Us...

Page 509: ...implemented as follows If DHCP snooping is disabled see page 4 165 IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snooping is enabled IP source guard will check the VLAN ID source IP addre...

Page 510: ...nite lease time which is indicated with a value of zero by the show ip source guard command page 4 175 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table with this command Static bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is a...

Page 511: ... source guard binding dhcp snooping static dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 4 164 static Shows static entries configured with the ip source guard binding command see page 4 174 Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth ...

Page 512: ...ccess Control Lists Command Groups Function Page IP ACLs Configures ACLs based on IP addresses TCP UDP port number and protocol type 4 176 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4 182 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 4 187 Table 4 48 IP ACLs Command Function Mode Page access list ip Creates an IP ACL a...

Page 513: ...ia acl_name Name of the ACL Maximum length 16 characters no spaces Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command fo...

Page 514: ... are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned...

Page 515: ...tocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 dscp DSCP priority level Range 0 63 sport Protocol25 source port number Range 0 65535 dport Protocol25 destination port number Ran...

Page 516: ... control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 Example This example accepts any incoming packets if the source address is within subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through This allows TCP packets from class C address...

Page 517: ...group This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip access group acl_name in acl_name Name of the ACL Maximum length 16 characters no spaces in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you b...

Page 518: ...e access list to one or more ports Console config int eth 1 25 Console config if ip access group david in Console config if Console show ip access group Interface ethernet 1 25 IP access list david in Console Table 4 49 MAC ACL Commands Command Function Mode Page access list mac Creates a MAC ACL and enters configuration mode GC 4 183 permit deny Filters packets matching a specified source and des...

Page 519: ...mmand Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit d...

Page 520: ... any host destination destination address bitmask ethertype protocol protocol bitmask no permit deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask cos cos cos bitmask vid vid vid bitmask no permit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets u...

Page 521: ...IP 0806 ARP 8137 IPX Example This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 183 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list acl_name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Exam...

Page 522: ... A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show mac access list 4 185 show mac access group This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 4 186 Console config interface ethernet...

Page 523: ...up Shows the ACLs assigned to each port PE 4 187 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 IP access list jerry permit any host 00 30 29 94 34 ...

Page 524: ...nfigures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 189 negotiation Enables autonegotiation of a given interface IC 4 190 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 191 flowcontrol Enables flow control on a given interface IC 4 192 media type Forces port type selected for combination ports IC 4 193 gi...

Page 525: ... Example The following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces...

Page 526: ...peration to the speed and duplex mode specified in a speed duplex command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities lis...

Page 527: ...ut parameters to restore the default values Syntax no capabilities 1000full 100full 100half 10full 10half flowcontrol symmetric 1000full Supports 1000 Mbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control ...

Page 528: ...on Ethernet Port Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to di...

Page 529: ... the default mode Syntax media type mode no media type mode copper forced Always uses the built in RJ 45 port sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link Default Setting sfp preferred auto Command Mode Interface Configuration Ethernet Ports 23 24 Example This forces the...

Page 530: ...tion over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches However this switch does provide a means of forcing a link to operate at 1000 Mbps full duplex using the giga phy mode command To force 1000full operation requires the ports at both ends of a link to establish their role in the connection process as a m...

Page 531: ...t and unknown unicast storm control Use the no form to restore the default setting Syntax switchport broadcast multicast unknown unicast packet rate rate no switchport broadcast multicast unknown unicast broadcast Specifies storm control for broadcast traffic multicast Specifies storm control for multicast traffic unknown unicast Specifies storm control for unknown unicast traffic rate Threshold l...

Page 532: ...t by the multicast storm control command And when unknown unicast storm control is enabled both multicast and unknown unicast storm control are also enabled using the threshold value set by the unknown unicast storm control command Example The following shows how to configure broadcast storm control at 500 kilobits per second clear counters This command clears statistics on an interface Syntax cle...

Page 533: ...terfaces status This command displays the status for an interface Syntax show interfaces status interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 vlan vlan id Range 1 4094 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no ...

Page 534: ...ype 100TX Mac address 00 12 CF 12 34 61 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full Broadcast storm Enabled Broadcast storm limit 64 Kbits second Multicast Storm Disabled Multicast Storm Limit 64 Kbits second UnknownUnicast Storm Disabled UnknownUnicast Storm Limit 64 Kbits second Flow control Disabled LACP Disabled Port Security Disabled Max MAC c...

Page 535: ... Unicast output 5 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive colli...

Page 536: ...ort Statistics Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 195 Multicast Threshold Shows if multicast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 195 Unknown unicast Threshold Shows if unknown unicast storm suppression is enabled or disabled if ...

Page 537: ... VLAN Mode Shows the private VLAN mode as host promiscuous or none 4 273 Private VLAN host association Shows the secondary or community VLAN with which this port is associated 4 274 Private VLAN mapping Shows the primary VLAN mapping for a promiscuous port 4 275 802 1Q tunnel Status Shows if 802 1Q tunnel is enabled on this interface page 4 264 802 1Q tunnel Mode Shows the tunnel mode as Normal 80...

Page 538: ...communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings Any of the SFP transceivers can be trunked together including those of different media types All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel Table 4 53 Link Aggregation Commands Command Function Mode Page Manual Configurat...

Page 539: ...t be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 8 Default Setting The current port will be added to this trunk Command Mode...

Page 540: ...s of an LACP trunk must be configured for full duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will b...

Page 541: ...evice to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console show interfaces status port chann...

Page 542: ...key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting 0 Command Mode Interface Configuration Ethernet C...

Page 543: ... during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is f...

Page 544: ...igher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that side Configu...

Page 545: ... Interface Configuration Ethernet Command Usage Regardless of the LACP initiation mode if the target switch has also enabled LACP on the connected ports and negotiations are successfully completed the trunk will be activated automatically Example show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sysid port channel Local identifier for a link...

Page 546: ... of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do n...

Page 547: ...efaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incomi...

Page 548: ...gned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partne...

Page 549: ... 7E 60 5 32768 00 13 F7 D3 7E 60 6 32768 00 13 F7 D3 7E 60 7 32768 00 13 F7 D3 7E 60 8 32768 00 13 F7 D3 7E 60 Console Table 4 57 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are c...

Page 550: ...er priority settings to limit the supplied power Example Related Commands power inline priority 4 216 power inline compatible This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802 3af PoE standard Use the no form to disable this feature Syntax no power inline compatible Default Setting Disabled Command Mode Global Configuration Comma...

Page 551: ... power inline Default Setting Detection is enabled for PoE compliant devices Command Mode Interface Configuration Command Usage When detection is enabled for PoE compliant devices power is automatically supplied when a device is detected on the port providing that the power demanded does not exceed switch s power budget Example Console config power inline compatible Console config end Console show...

Page 552: ...rt power remains off Example power inline priority This command sets the power priority for specific ports Use the no form to restore the default setting Syntax power inline priority priority no power inline priority priority The power priority for the port Options 1 critical 2 high or 3 low Default Setting 3 low Command Mode Interface Configuration Command Usage If the power demand from devices c...

Page 553: ...tch to exceed its budget power will not be provided to that port regardless of its priority setting Example Related Commands power mainpower maximum allocation 4 214 show power inline status This command displays the current power status for all ports or for specific ports Syntax show power inline status interface interface ethernet unit Stack unit Range 1 8 port Port number Range 1 26 Command Mod...

Page 554: ...iwatts Priority The port s power priority setting see power inline priority on page 216 Console show power mainpower Unit 1 Mainpower Status Maximum Available Power 180 watts System Operation Status on Mainpower Consumption 15 watts Software Version Version 0x01F9 Build 0x04 Console Table 4 60 show power mainpower parameters Parameter Description Maximum Available Power The available power budget ...

Page 555: ...mand Mode Interface Configuration Ethernet destination port Command Usage You can mirror traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner The destination port is set by specifying an Ethernet interface The mirror port ...

Page 556: ...s all sessions Command Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if Console config interface ethernet 1 11 Console config if p...

Page 557: ...interface Use this command without specifying a rate to restore the default rate limit Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Input rate limit rate The traffic rate limit level Range 64 100000 kilobits per second for 100 Mbps ports 64 1000000 kilobits per second for 1 Gbps ports Default ...

Page 558: ...S4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 vlan id VLAN ID Range 1 4094 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Table 4 63 Address Table Commands Command Function Mode Page mac address table static Maps...

Page 559: ...address is seen on another interface the address will be ignored and will not be written to the address table A static address cannot be learned on another port until the address is removed with the no form of this command Example clear mac address table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system...

Page 560: ...Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx xx xx that is applied to the specified MAC address Enter hexa...

Page 561: ...0000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console config mac address table aging time 100 ...

Page 562: ... to MSTP configuration mode GC 4 233 mst vlan Adds VLANs to a spanning tree instance MST 4 233 mst priority Configures the priority of a spanning tree instance MST 4 234 name Configures the name for the multiple spanning tree MST 4 235 revision Configures the revision number for the multiple spanning tree MST 4 235 max hops Configures the maximum number of hops allowed in the region before a BPDU ...

Page 563: ... and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mst cost Configures the path cost of an instance in the MST IC 4 244 spanning tree mst port priority Configures the priority of an instance in the MST IC 4 245 spanning tree protocol migration Re checks the appropria...

Page 564: ... RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives...

Page 565: ... states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example spanning tree hello time This command configures th...

Page 566: ...r of 6 or 2 x hello time 1 The maximum value is the lower of 40 or 2 x forward time 1 Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular interv...

Page 567: ...he highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example spanning tree system bpdu flooding This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally ...

Page 568: ...ge from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 4 237 takes precede...

Page 569: ...al Configuration Example Related Commands mst vlan 4 233 mst priority 4 234 name 4 235 revision 4 235 max hops 4 236 mst vlan This command adds VLANs to a spanning tree instance Use the no form to remove the specified VLANs Using the no form without any VLAN parameters to remove all VLANs Syntax no mst instance_id vlan vlan range instance_id Instance identifier of the spanning tree Range 0 4094 vl...

Page 570: ...nce on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree Example mst priority This command configures the priority of a spanning tree instance Use the no form to restore the default Syntax mst instance_id priority priority no mst instance_id priority instance_id Instance identifier of the spanning ...

Page 571: ...and revision number page 4 235 are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Commands revision 4 235 revision This command configures the revision number for this multiple spanning tree configuration of this ...

Page 572: ...on Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols Therefore the message age for BPDUs inside an MSTI region is never changed However each spanning tree instance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop cou...

Page 573: ... long path cost method Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if 27 Use the spanning tree pathcost method command on page 4 232 to set the path cost method Table 4 65 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10...

Page 574: ...a and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 232 is set to short the maximum value for path cost is 65 535 Example spanning tree port priority This command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tree port priority priority no spa...

Page 575: ... can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of fra...

Page 576: ...ding can achieve quicker convergence for end node workstations and servers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end node device This command is the same as spanning tree edge port and is only included for backward compatibility with earlier product...

Page 577: ... setting point to point Point to point link shared Shared medium Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the du...

Page 578: ...ction will not be active if Spanning Tree is disabled on the switch Example spanning tree loopback detection release mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received Use the no form to restore the default Syntax spanning tree loopback detection release mode auto manual no spanning tree loopback detection release m...

Page 579: ...k Detection will not be active if Spanning Tree is disabled on the switch When configured for manual release mode then a link down up event will not release the port from the discarding state Example spanning tree loopback detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections Use the no form to restore the default Syntax spanning tree loopback detect...

Page 580: ...cate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 The default path costs are listed in Table 4 67 on page 4 238 Command Mode Interface Configuration Ethernet Port Channel Command Usage Each spanning tree instance is associated with a unique set of VLAN IDs This comman...

Page 581: ...ltiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priority the interface with lowest numeric identifier will be enabled Example Related Commands spanning tree mst cost 4 244 spanning tree protoco...

Page 582: ...t number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 instance_id Instance identifier of the multiple spanning tree Range 0 4094 no leading zeroes Default Setting None Command Mode Privileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and ...

Page 583: ...nated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 10000 Number of topology changes 1 Last topology changes time sec 22 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enable Role root State forwarding External admin path cost 10000 Internal admin cost 10000 External oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated cost 20000...

Page 584: ...es GVRP settings that permit automatic VLAN learning shows the configuration for bridge extension MIB 4 249 Editing VLAN Groups Sets up VLAN groups including name VID and state 4 254 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 4 256 Displaying VLAN Information Displays VLAN groups status port members and...

Page 585: ...k This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Table 4 69 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 249 show bridge ext Shows the global bridge extension configuration PE 4 250 switchport gvrp Enables GVRP for an interface IC 4 250...

Page 586: ...mmand enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext Max support vlan numbers 256 Max support vlan ID 4094 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No ...

Page 587: ...istics This command shows GVRP protocol related statistics Syntax show gvrp statistics interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Command Mode Normal Exec Privileged Exec Command Usage The meaning of the GARP attribute registration deregistration message types displayed by this...

Page 588: ...ocol related statistics Syntax show gvrp statistics interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Command Mode Normal Exec Privileged Exec Example Console show gvrp statistics ethernet 1 1 GVRP statistics for Eth 1 1 Received JoinEmpty 0 JoinIn 0 Empty 0 LeaveIn 0 LeaveEmpty 0 Lea...

Page 589: ...Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports ...

Page 590: ...ivileged Exec Example Related Commands garp timer 4 253 Editing VLAN Groups vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting None Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 100 centiseconds Leave timer 60 centiseconds Leaveall timer 1000 centiseconds Console Table 4 70 Editing VLAN Groups Comm...

Page 591: ... form to restore the default settings or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id ID of configured VLAN Range 1 4092 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keyword to be followed by the VLAN state active VLAN ...

Page 592: ...onfig vlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan Table 4 71 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN GC 4 256 switchport mode Configures VLAN membership mode for an interface IC 4 257 switchport acceptable frame types Configures frame types to be accepted by an interfac...

Page 593: ...s a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 273 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command ...

Page 594: ... When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 257 switchport ingress filtering This command enables ingress filtering for an interface Syntax switchport ingress filtering no switchport ingress filtering ...

Page 595: ... ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage Setting the native VLAN for a port can only be performed when the port is a member of the VLAN and the VLAN is untagged The no switchport native vlan command will set the native VLAN of the port to untagged VLAN 1 If acceptable frame types is set to all or s...

Page 596: ...witchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports...

Page 597: ...esignate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of ...

Page 598: ...VLANs Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 72 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 262 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 197 show interfaces switchport Displays the administrative and operational status of an inte...

Page 599: ...nfigure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 260 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport native vlan page 4 259 7 Configure the QinQ tunnel uplink port to dot1Q tunnel uplink mode switchport dot1q tunnel mode page 4 264 8 Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged ...

Page 600: ...how dot1q tunnel 4 266 show interfaces switchport 4 199 switchport dot1q tunnel mode This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switchport dot1q tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Dis...

Page 601: ...tion This identifier is used to select a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 Range 0800 FFFF hexadecimal Default Setting 0x8100 Command Mode Interface Configuration Ethernet Port Channel Command Usage Use the switchport dot1q tunnel tpid command to set a custom 802 1Q ethertype value on the selected interface This feature allows the ...

Page 602: ...sole config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TP...

Page 603: ...ccess to their uplink ports where security is less likely to be compromised Note Due to switch ASIC limitations traffic segmentation is not supported on the iES4024GP This section describes commands used to configure traffic segmentation pvlan This command enables port based traffic segmentation Use the no form to disable this feature Syntax no pvlan Default Setting Disabled Command Mode Global Co...

Page 604: ...terface list One or more uplink or downlink interfaces ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Table 4 75 Traffic Segmentation Forwarding Destination Source Session 1 Downlinks Session 1 Uplinks Session 2 Downlinks Session 2 Uplinks Normal Ports Session 1 Downlink Ports Blo...

Page 605: ...itations ports 1 8 9 16 17 24 are grouped together when any group member is configured as an uplink or downlink interface Example pvlan session This command creates a traffic segmentation client session Use the no form to remove a client session Syntax no pvlan session session id session id Traffic segmentation session Range 1 15 Default Setting None Command Mode Global Configuration Command Usage...

Page 606: ...sions Default Setting Blocking Command Mode Global Configuration Example This example enables forwarding of traffic between uplink ports assigned to different client sessions show pvlan This command displays the traffic segmentation configuration settings Syntax show pvlan session session id session id Traffic segmentation session Range 1 15 Command Mode Privileged Exec Example Console config pvla...

Page 607: ...ured Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private VLANs To configure primary secondary associated groups follow these steps 1 Use the private vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups 2 Use the private vlan ...

Page 608: ...e associate primary VLAN primary A VLAN which can contain one or more community VLANs and serves to channel traffic between community VLANs and other locations Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community and channel traffic passing outside the community through promiscuous ports When using communit...

Page 609: ...y for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the primary VLAN via promiscuous ports Example switchport mode private vlan Use this command to set the private VLAN mode for an interface Use the no form to restore the default setting Sy...

Page 610: ...tion secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e community VLAN Range 1 4092 no leading zeroes Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage All ports assigned to a secondary i e community VLAN can pass traffic between group members but must communicate with resources outside of the group via pr...

Page 611: ... can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs Example show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community primary community Displays all community VLANs along with their associated primary VLAN and assigned host interfaces ...

Page 612: ...p for each of the protocols you want to assign to a VLAN using the protocol vlan protocol group add command 3 Then map the protocol group to the appropriate VLAN using the protocol vlan protocol group vlan command Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 by default that has been configured with the switch s administrative IP IP Protocol Ethernet traffic m...

Page 613: ...nd rarp Default Setting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 2 and specifies Ethernet frames transmitting ARP protocol type traffic protocol vlan protocol group Configuring VLANs This command globally maps a protocol group to a VLAN Use the no form to remove the protocol mapping Syntax protocol vlan protocol group group id...

Page 614: ... type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for the interface Example The following example maps traffic matching the protocol type specified in protocol group 2 to VLAN 2 show protocol vlan protocol group This command shows the frame and protocol type associated with protocol ...

Page 615: ...IP traffic is detected on a configured port the switch automatically assigns the port to the Voice VLAN Alternatively switch ports can be manually configured Console show protocol vlan protocol group vid ProtocolGroup ID VLAN ID 2 VLAN2 Console Table 4 78 Voice VLAN Commands Command Function Mode Page voice vlan Defines the Voice VLAN ID GC 4 280 voice vlan aging Configures the aging time for Voic...

Page 616: ...ted on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member of the Voice VLAN Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN The Voice VLAN ID c...

Page 617: ...ddress mac address Defines a MAC address OUI that identifies VoIP devices in the network For example 01 23 45 00 00 00 mask address Identifies a range of MAC addresses Range 80 00 00 00 00 00 to FF FF FF FF FF FF description User defined text that identifies the VoIP devices Range 1 32 characters Default Setting None Command Mode Global Configuration Command Usage VoIP devices attached to the swit...

Page 618: ...ed to the Voice VLAN auto The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port Default Setting Disabled Command Mode Interface Configuration Command Usage When auto is selected you must select the method to use for detecting VoIP traffic either OUI or 802 1ab LLDP using the switchport voice vlan rule command page 4 283 When OUI is selected be sure t...

Page 619: ... see the voice vlan mac address command on page 4 281 MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device LLDP checks that the telephone bit in the system capability TLV is turned on See Spanning Tree Commands on page 4 226 for more information on LLDP Example The following example enables the OUI method on port...

Page 620: ...mand specifies a CoS priority for VoIP traffic on a port Use the no form to restore the default priority on a port Syntax switchport voice vlan priority priority value no switchport voice vlan priority priority value The CoS priority value Range 0 6 Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The ...

Page 621: ...34 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth 1 1 Auto Enabled OUI 6 Eth 1 2 Disabled Disabled OUI 6 Eth 1 3 Manual Enabled OUI 5 Eth 1 4 Auto Enabled OUI 6 Eth 1 5 Disabled Disabled OUI 6 Eth 1 6 Disabled Disabled OUI 6 Eth 1 7 Disabled Disabled OUI 6 Eth 1 8 Disabled Disabled OUI 6 Eth 1 9 Disabled Disabled OUI 6 Eth 1 10 Disabled Disabled OUI...

Page 622: ...TTL value sent in LLDP advertisements GC 4 288 medFastStartCount Configures how many medFastStart packets are transmitted GC 4 289 lldp notification interval Configures the allowed interval for sending SNMP notifications about LLDP changes GC 4 289 lldp refresh interval Configures the periodic transmit interval for LLDP advertisements GC 4 290 lldp reinit delay Configures the delay before attempti...

Page 623: ...LDP enabled port to advertise its Power over Ethernet capabilities IC 4 300 lldp medtlv extpoe Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage information IC 4 300 lldp medtlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details IC 4 301 lldp medtlv location Configures an LLDP MED enabled port to a...

Page 624: ...ing Syntax lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on holdtime multiplier refresh interval 65536 Range 2 10 Default Setting Holdtime multiplier 4 TTL 4 30 120 seconds Command Mode Global Configuration Command Usage The time to live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if i...

Page 625: ...vailability of Emergency Call Service Example lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp notification interval seconds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds Default Set...

Page 626: ...ic interval at which LLDP advertisements are sent Range 5 32768 seconds Default Setting 30 seconds Command Mode Global Configuration Command Usage This attribute must comply with the following rule refresh interval holdtime multiplier 65536 Example lldp reinit delay This command configures the delay before attempting to re initialize after LLDP ports are disabled or the link goes down Use the no f...

Page 627: ...ldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration Command Usage The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported...

Page 628: ...p notification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification interval command page 4 289 Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB or organization specific LLDP EXT DOT1 and LL...

Page 629: ...otifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 1057 or organization specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs SNMP trap destinations are defined using the snmp server host command page 4 90 Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at ...

Page 630: ... The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or other starting points for the search such as the Interface or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TL...

Page 631: ... Command Mode Interface Configuration Ethernet Port Channel Command Usage The system capabilities identifies the primary function s of the system and whether or not these primary functions are enabled The information advertised by this TLV is described in IEEE 802 1AB Example lldp basic tlv system description This command configures an LLDP enabled port to advertise the system description Use the ...

Page 632: ...Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system name is taken from the sysName object in RFC 3418 which contains the system s administratively assigned name and is in turn based on the hostname command page 4 17 Example lldp dot1 tlv proto ident This command configures an LLDP enabled port to advertise the supported protocols Use the no f...

Page 633: ...nd Usage This option advertises the port based and protocol based VLANs configured on this interface see Configuring VLAN Interfaces on page 4 256 and Configuring Protocol based VLANs on page 4 276 Example lldp dot1 tlv pvid This command configures an LLDP enabled port to advertise its default VLAN ID Use the no form to disable this feature Syntax no lldp dot1 tlv pvid Default Setting Enabled Comm...

Page 634: ...nd Usage This option advertises the name of all VLANs to which this interface has been assigned See switchport allowed vlan on page 4 260 and protocol vlan protocol group Configuring VLANs on page 4 277 Example lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link aggregation capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv link agg Defau...

Page 635: ...n Ethernet Port Channel Command Usage This option advertises MAC PHY configuration status which includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Example lldp dot3 tlv max frame This command configures an LLDP enabled port to advertise its maximum frame size Use the no form to disable this feature Syntax no lldp dot3 tlv max frame De...

Page 636: ...ties including whether or not PoE is supported currently enabled if the port pins through which power is delivered can be controlled the port pins selected to deliver power and the power class Example lldp medtlv extpoe This command configures an LLDP MED enabled port to advertise and accept Extended Power over Ethernet configuration and usage information Use the no form to disable this feature Sy...

Page 637: ...lv inventory Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises device details useful for inventory management such as manufacturer model software version and other pertinent information Example lldp medtlv location This command configures an LLDP MED enabled port to advertise its location identification details Use the no form t...

Page 638: ...ED TLV capabilities allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP MED related TLVs are supported on the switch Example lldp medtlv network policy This command configures an LLDP MED enabled port to advertise its network policy configuration Use the no form to disable this feature Syntax no lldp medtlv network policy Default Setting Enabled Command Mode Interfa...

Page 639: ...omplete service disruption Example show lldp config This command shows LLDP configuration settings for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Command Mode Privileged Exec Console config interface et...

Page 640: ... 1 3 Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto ident 802 3 specific TLVs Adverti...

Page 641: ...2 03 04 05 System Name System Description 24 10 100 ports and 4 gigabit ports with PoE switch System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 E...

Page 642: ... Command Mode Privileged Exec Example Console show lldp info remote device LLDP Remote Devices Information Interface ChassisId PortId SysName Eth 1 1 00 01 02 03 04 05 00 01 02 03 04 06 Console show lldp info remote device detail ethernet 1 1 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 0...

Page 643: ...ed Exec Example switch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lldp inf...

Page 644: ... queues before servicing lower priority queues wrr Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 8 for queues 0 3 respectively Default Setting Weighted Round Robin Table 4 80 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware queue...

Page 645: ...s a priority for incoming untagged frames Use the no form to restore the default value Syntax switchport priority default default priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority Default Setting The priority is not set and the default value for untagged frames received ...

Page 646: ...nd assigns class of service CoS values to the priority queues i e hardware output queues 0 3 Use the no form set the CoS map to the default values Syntax queue cos map queue_id cos1 cosn no queue cos map queue_id The ID of the priority queue Ranges are 0 to 3 where 3 is the highest priority queue cos1 cosn The CoS values that are mapped to the queue ID It is a space separated list of numbers The C...

Page 647: ... None Command Mode Privileged Exec Example show queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the four priority queues Default Setting None Command Mode Privileged Exec Console config interface ethernet 1 1 Console config if queue cos map 0 0 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if exit Console show que...

Page 648: ...t Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7 Priority Queue 1 0 0 1 2 2 3 3 Console ...

Page 649: ...switchport priority Example The following example shows how to enable IP DSCP mapping globally map ip dscp Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 ...

Page 650: ...ority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 Table 4 84 IP DSCP to CoS Vales IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 18 2...

Page 651: ...28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Related Commands map ip dscp Global Configuration 4 313 map ip dscp Interface Configuration 4 313 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0...

Page 652: ...r matching traffic class and use the policer command to monitor the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 6 Use the service policy command to assign a policy map to a specific interface Table 4 85 Quality of Service Commands Command Function Mode Page class map Creates a class ...

Page 653: ... a class map class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 4 318 to specify the criteria for ingress traffic that will be classified under this class map Up to 16 match commands are permitted p...

Page 654: ...p configuration mode Then use the match command to specify the fields within ingress packets that must match to qualify for this class map Only one match command can be entered per class map Example This example creates a class map called rd_class 1 and sets it to match packets marked for DSCP service value 3 This example creates a class map call rd_class 2 and sets it to match packets marked for ...

Page 655: ...te a Class Map page 4 319 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response t...

Page 656: ...then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS or DSCP value in a matching packet as specified by the match command on page 4 318 Use the no form to remove the traffic classification Syntax no set cos new cos ip dscp new dscp new c...

Page 657: ...ard ACL and Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the burst byte field and the average rate at which tokens are removed from the bucket is specified by the rate bps option Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the se...

Page 658: ...t Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service policy command to bind the policy map to the required interface Example This example applies a service policy to an ingress interface show class map This command displays the QoS class maps which define matching criteria used for cla...

Page 659: ...xec Example show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Console show class map Class Map match any rd_class 1 Match ip dscp 3 Class Map m...

Page 660: ...splays the multicast service and group members 4 324 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4 329 Static Multicast Routing Configures static multicast router ports 4 332 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 334 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other sta...

Page 661: ...the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Command Mode Global Configuration Example The following shows how to statica...

Page 662: ...network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 and or v3 including ip igmp snooping querier ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Example The following configures the switch to use IGMP Version 1 ip igmp snooping leave proxy This comman...

Page 663: ...ve is not used a multicast router or querier will send a group specific query message when an IGMPv2 or IGMPv3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period Note that the timeout period is determined by ip igmp snooping query max response time see 4 331 If immediate leave is enable...

Page 664: ...c address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4094 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Console show ip igmp snooping Service status Enabled Quer...

Page 665: ...on page 4 326 If enabled the switch will serve as querier if elected The querier is responsible for asking hosts if they want to receive multicast traffic Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 88 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to...

Page 666: ... defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the query count to 10 Related Commands ip igmp snooping query max response...

Page 667: ...t be using IGMPv2 or v3 snooping for this command to take effect This command defines the time after a query during which a response is expected from a multicast client If a querier has sent a number of queries defined by the ip igmp snooping query count but a client has not responded a countdown timer is started using an initial value set by this command If the countdown finishes and the client s...

Page 668: ... seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 or v3 snooping for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Related Commands ip igmp snooping version 4 326 Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch Console config ip ...

Page 669: ...onnections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example The following shows how to configure port 11 as a multicast router port within VLAN 1 show ip igm...

Page 670: ...uter Ports Type 1 Eth 1 11 Static 2 Eth 1 12 Static Console Table 4 90 IGMP Filtering and Throttling Commands Command Function Mode Page ip igmp filter Enables IGMP filtering and throttling on the switch GC 4 335 ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC 4 335 permit deny Sets a profile access mode to permit or deny IPC 4 336 range Specifies one or ...

Page 671: ...are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IGMP filtering feature operates in the same manner when MVR is ...

Page 672: ...r deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range Example range This command specifies multicast group addresses for a profile Use the no form to delete addresses from a profile Syntax no r...

Page 673: ...ult Setting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one profile can be assigned to an interface A profile can also be assigned to a trunk interface When ports are configured as trunk members the trunk uses the filtering profile assigned to the first ...

Page 674: ...or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group IGMP throttling can also be set on a trunk interface When ports are configured as trunk members the trunk uses the throttling settings of the first port member in the trunk Example ip igmp max gr...

Page 675: ...bal and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if ip igmp max groups action replace Cons...

Page 676: ...terface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 on iES4028F iES4028FP 1 24 on iES4024GP port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces Console show ip igmp...

Page 677: ...the no form of this command without any keywords to globally disable MVR Use the no form with the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keyword restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR g...

Page 678: ...t address range of 224 0 0 x MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command page 4 260 and switchport native vlan command page 4 259 but MVR receiver ports should not be statically configured as members of this VLAN IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see ip igmp snooping on page 4 ...

Page 679: ...er of any configured multicast group Command Mode Interface Configuration Ethernet Port Channel Command Usage A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering Receiver ports can belong to different VLANs but should not be configured as a member of the MVR VLAN IGMP snooping can ...

Page 680: ... multicast join or leave messages Example The following configures one source port and several receiver ports on the switch enables immediate leave on one of the receiver ports and statically assigns a multicast group to another receiver port show mvr This command shows information about the global MVR configuration settings when entered without any keywords the interfaces attached to the MVR VLAN...

Page 681: ...ps 10 Console Table 4 92 show mvr display description Field Description MVR Status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR multicast vlan Shows the VLAN used to transport all MVR multicast traffic MVR Max Multicast Groups Shows the maximum number of multicast groups which can assign...

Page 682: ...0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console Table 4 94 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribe...

Page 683: ...s bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0...

Page 684: ...ent VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 349 ip default gateway This command establishes a static route between this switch and devices that exist on another network segment Use the no form to remove the static route Syntax ip default gateway gateway no ip default gateway gateway IP address of the default gateway Defau...

Page 685: ...network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 347 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Exec Example Console config interface vlan 1 Console config if ip address dhc...

Page 686: ...t Range 32 512 The actual packet size will be eight bytes larger than the size specified because the router adds header information Default Setting count 5 size 32 Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response occurs in one to ten sec...

Page 687: ...88 Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 10 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 10 ms Maximum 20 ms Average 10 ms Console ...

Page 688: ...Command Line Interface 4 352 4 This page is intentionally left blank ...

Page 689: ...Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input limit Output limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D Rapid Spanning Tree Protocol RSTP IEEE 802 1w Multiple Spanning Tre...

Page 690: ...SNMP manager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1AB Link Layer Discovery Protocol IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority tags IEEE 802...

Page 691: ...89 Entity MIB RFC 2737 Ether like MIB RFC 3635 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 3636 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB QnQ Tunneling IEEE 802 1ad Provider...

Page 692: ...pecifications A 4 A SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 TACACS Authentication Client MIB TCP MIB RFC 2012 Trap RFC 1215 UDP MIB RFC 2013 ...

Page 693: ...r of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is prope...

Page 694: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 695: ... DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues Domain Name Service DNS A system used for translating host names for network nodes into IP addresses Dynamic Host Control Proto...

Page 696: ...es to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations Formerly called Group Address Registration Protocol Generic Multicast Registration Protocol GMRP GMRP allows network devices to register end stations with multicast groups GMRP requires tha...

Page 697: ...802 3 2002 IGMP Query On each subnetwork one IGMP capable device will act as the querier that is the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong The elected querier will be the device with the lowest IP address in the subnetwork IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Router...

Page 698: ...intended for use with 32 bit machines and is safer than the MD4 algorithm which has been broken MD5 is a one way hash function meaning that it takes a message and converts it into a fixed string of digits also called a message digest Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered or forwards them to all port...

Page 699: ...ngle high speed logical link that combines several lower speed physical links Power over Ethernet The IEEE 802 3af standard for providing Power over Ethernet PoE capabilities When Ethernet is passed over copper cable two twisted pairs are used for data transfer and two twisted pairs are unused With PoE power can either be passed over the two data pairs or over the two spare pairs Private VLANs Pri...

Page 700: ...s functions including Telnet SSH can authenticate users with a cryptographic key and encrypt data connections between management clients and the switch Simple Mail Transfer Protocol SMTP A standard host to host mail transport protocol that operates over TCP port 25 Simple Network Management Protocol SNMP The application protocol in the Internet suite of protocols which offers network management se...

Page 701: ...like services UDP packets are delivered just like IP packets connection less datagrams that may be discarded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary Universal Time Coordinate UTC UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight...

Page 702: ...Glossary Glossary 8 This page is intentionally left blank ...

Page 703: ...4 114 acceptable frame type 3 198 4 258 Access Control List See ACL ACL 3 108 4 176 binding to an interface 3 115 4 181 Extended IP 3 109 4 176 4 179 MAC 3 109 4 182 4 183 4 185 Standard IP 3 109 4 176 4 178 address table 3 162 4 222 aging time 3 164 4 225 authentication MAC 3 107 4 150 MAC address authentication 3 102 4 150 MAC configuring ports 3 107 4 150 network access 3 102 4 150 public key 3...

Page 704: ...map 3 242 4 319 service policy 3 245 4 322 downloading software 3 22 4 35 DSA encryption 3 82 3 84 4 132 DSCP enabling 3 236 4 313 mapping priorities 3 237 4 313 dynamic addresses displaying 3 163 4 224 dynamic VLAN assignment 3 102 3 104 4 153 E edge port STA 3 177 3 180 4 239 encryption DSA 3 82 3 84 4 132 RSA 3 82 3 84 4 132 engine ID 3 46 4 93 event logging 3 29 4 49 exec command privileges ac...

Page 705: ...blic 3 79 4 127 user public importing 3 84 key pair host 3 79 4 127 host generating 3 82 4 132 L LACP group attributes configuring 3 141 4 207 group members configuring 3 138 4 205 4 206 4 208 local parameters 3 143 4 209 partner parameters 3 145 4 209 protocol message statistics 3 142 4 209 Link Layer Discovery Protocol Media Endpoint Discovery See LLDP MED Link Layer Discovery Protocol See LLDP ...

Page 706: ... 4 150 ports configuring 3 104 3 107 4 150 reauthentication 3 103 4 155 main menu 3 4 4 9 Management Information Bases MIBs A 3 media type 3 132 4 193 mirror port configuring 3 151 4 219 MSTP 3 181 3 186 4 228 configuring 3 181 4 233 4 236 global settings 3 181 4 226 global settings configuring 3 171 4 228 global settings displaying 3 168 4 246 interfacesettings configuring 3 178 3 186 4 244 4 245...

Page 707: ...iguring 3 128 4 188 ports mirroring 3 151 4 219 power budgets port 3 159 4 216 port priority 3 161 4 216 primary VLAN 3 209 4 272 priority default port ingress 3 231 4 309 private key 3 79 4 127 private VLANs configuring 3 209 3 210 4 271 private VLANs displaying 3 209 4 262 problems troubleshooting B 1 promiscuous ports 3 209 4 271 protocol migration 3 180 4 245 protocol VLANs 3 214 4 277 public ...

Page 708: ... interface settings 4 236 4 245 interfacesettings configuring 3 178 4 236 4 243 interface settings displaying 3 175 4 246 link type 3 177 3 180 4 241 loopback detection 3 167 4 242 path cost 3 168 3 176 4 237 path cost method 3 173 4 232 port priority 3 177 4 238 port trunk loopback detection 3 167 4 242 protocol migration 3 180 4 245 transmission limit 3 173 4 232 standards IEEE A 2 startup files...

Page 709: ...mode 3 199 4 257 interface configuration 3 198 4 258 4 261 private 3 209 4 271 protocol 3 214 4 276 4 277 protocol binding to interfaces 3 216 4 277 protocol configuring groups 3 215 4 277 voice 3 246 4 279 voice VLAN 3 246 4 279 voice VLANs 3 246 4 279 detecting VoIP devices 3 246 4 280 enabling for ports 3 247 4 282 4 282 4 284 identifying client devices 3 249 4 281 VoIP Traffic ports configurin...

Page 710: ...Index 8 Index This page is intentionally left blank ...

Page 711: ...This page is intentionally left blank ...

Page 712: ...iES4028F 4028FP 4024GP ...

Reviews:

No comments

Related manuals for iES4024GP

Brand: Aastra Pages: 2

SR8800 IM-FW-II

Brand: H3C Pages: 107

Brand: 3Com Pages: 12

Brand: H3C Pages: 16

H3C S3600 Series

Brand: H3C Pages: 10

Brand: H3C Pages: 42

Brand: H3C Pages: 2

H3C S7500E Series

Brand: H3C Pages: 34

Brand: H3C Pages: 33

Brand: H3C Pages: 14

Brand: H3C Pages: 56

H3C S7500E Series

Brand: H3C Pages: 112

Brand: H3C Pages: 15

SR8800 IM-FW-II

Brand: H3C Pages: 5

H3C S7500E Series

Brand: H3C Pages: 50

Brand: H3C Pages: 37

Brand: H3C Pages: 4

Brand: H3C Pages: 5

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands